DEVHIDE
Login Or Sign up

Can't frame https://xxx-my.sharepoint.com because an ancestor violates

1.3k Views Asked by At

I got this error when I tried to (i)frame sharepoint.com : Refused to frame 'https://xxx-my.sharepoint.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com".

I've tried to put all of this CSP in the frame-ancestors but always get the same error. I wrote headers in apache2

Header always set Content-Security-Policy "default-src 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;

frame-src 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;

frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;

script-src 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com"

(There is no spaces between src, it's just to make things clearer) I've also tried to pute X-Frames-Options, x-xss-protection, access-control-allow-origin, access-control-allow-headers. Nothing changes

My iframe looks like : sandbox="allow-same-origin allow-scripts allow-popups allow-forms allow-modals" src="https://xxx.sharepoint.com/xxx/xxx/_layouts/15/Doc.aspx?sourcedoc={xxx}&action=edit&AllowTyping=True&wdDownloadButton=True&wdInConfigurator=True" (I would open a file like excel or word in edit mode, with action=embedview, it works but I want action=edit) How can I fix this issue ?

iframe apache2 sharepoint-online excel-online content-security-policy
Original Q&A
3

There are 3 best solutions below

0
Halvor Sakshaug On

The error message means that you are trying to frame a page that has set specifically which other sites are allowed to frame it. If your hostname is not on that list, there is nothing you can do, except modifying headers by proxying the service ofc. In some cases services that restrict framing allow for configuration, so you should check if this is possible to allowlist your site to frame it.

0
Scott D. Carson On

You can rewrite the CSP headers in SharePoint using the URL Rewrite module in IIS. If that's not installed, you can download it from Microsoft. The process goes like this:

  1. In URL Rewrite, go to View Server Variables and add a new one, RESPONSE_CONTENT_SECURITY_POLICY. Save it, and go back to rules.
  2. Add a new blank outbound rule, call it "Rewrite Content-Security-Policy".
  3. In "Matching Scope", select "Server Variable", and in the Variable name box, put RESPONSE_CONTENT_SECURITY_POLICY.
  4. In "Variable Value", select "Matches the pattern" using "Regular expressions", and enter the pattern ".*" (meaning match anything, even if missing)
  5. In the "Action Properties" section, put the value of the CSP header you want.
  6. Save the rule. You're done.

You can search for "rewrite headers iis url rewrite" to find examples from the MS documentation.

0
Oceanhippie On

Looks like this is fixed in March 2024 SharePoint update (KB5002559 for 2016)

Improvements and fixes This security update contains an improvement and a fix for the following nonsecurity issue in SharePoint Enterprise Server 2016:

Allows users to disable SharePoint's Content Security Policy (CSP) HTTP header in SharePoint Pages. If you don't want to enable the SharePoint CSP HTTP header in SharePoint Pages, you can run the following cmdlets in PowerShell:

Add-PSSnapin Microsoft.SharePoint.PowerShell
$farm = Get-SPFarm
$farm.EnableCSPHeaderForPage = $false
$farm.Update()

Fixes an unexpected exception in the Newsfeed feature.

Related Questions in IFRAME

Related Questions in APACHE2

Related Questions in SHAREPOINT-ONLINE

Related Questions in EXCEL-ONLINE

Related Questions in CONTENT-SECURITY-POLICY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.