CSP frame-ancestors wildcard usage failing

Question

I've got a need to whitelist my website from being iframed just for one particular domain. The url accessing the wildcard will be something like https://app.domain.com/project/123/456

The https://app.domain.com/project/123 section always stays constant but the end will change.

I tried to implement the below frame-ancestor directive but it fails with an error in the browser.

frame-ancestors 'self' https://app.domain.com/project/123/*;

The error I get is

Refused to frame 'https://yourdomain.cloud/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://app.domain.com/project/123/*".

Does the wildcard work only on subdomain, port level?

Answer 1

The wildcard must be leading. Please check this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Internet hosts by name or IP address, as well as an optional URL scheme and/or port number, separated by spaces. The site's address may include an optional leading wildcard (the asterisk character, ''), and you may use a wildcard (again, '') as the port number, indicating that all legal ports are valid for the source. Single quotes surrounding the host are not allowed