admin管理员组

文章数量:1302333

So I'm putting a plugin together that will allow me to connect multiple client sites with an online service.

I can get the service vendors snippet to load, but once you interact with it, that's where things get tricky and it refuses to load an (I guess) iframe... ...it's pretty poorly documented.

Refused to load / because it does not appear in the frame-ancestors directive of the Content Security Policy.

That's the console log error I was receiving.

So I jumped back into my plugin and added the following:

function bbti_send_headers() {
    header( "Content-Security-Policy: frame-ancestors /; frame-src /;" );
}
add_action( 'send_headers', 'bbti_send_headers' );

Now, when I reload the page I'm still getting the same error Refused to load /... etc...

However, if I look at the network panel and check the page's headers this is what I get:

HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Security-Policy: frame-ancestors /; frame-src /;

So the header is there but still getting the same error from the script.

Anyone know what it is I missed?

So I'm putting a plugin together that will allow me to connect multiple client sites with an online service.

I can get the service vendors snippet to load, but once you interact with it, that's where things get tricky and it refuses to load an (I guess) iframe... ...it's pretty poorly documented.

Refused to load https://www.service-domain/ because it does not appear in the frame-ancestors directive of the Content Security Policy.

That's the console log error I was receiving.

So I jumped back into my plugin and added the following:

function bbti_send_headers() {
    header( "Content-Security-Policy: frame-ancestors https://www.service-domain/; frame-src https://www.service-domain/;" );
}
add_action( 'send_headers', 'bbti_send_headers' );

Now, when I reload the page I'm still getting the same error Refused to load https://www.service-domain/... etc...

However, if I look at the network panel and check the page's headers this is what I get:

HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Security-Policy: frame-ancestors https://www.service-domain/; frame-src https://www.service-domain/;

So the header is there but still getting the same error from the script.

Anyone know what it is I missed?

  • plugins
  • php
  • plugin-development
  • headers
Share Improve this question asked Mar 13, 2021 at 4:15 Tony DjukicTony Djukic 2,2774 gold badges18 silver badges34 bronze badges 8
  • 1 If the error says "Refused to load https://www.service-domain/", then it's probably because the resource/page at service-domain is disallowing itself from being put in an iframe or frame (within certain pages). So basically, you'd need to contact the service vendor for guidance on fixing the issue.. (or the proper way to load their snippet on your plugin page). And actually, it's them who would add the header (in your bbti_send_headers()) and not your plugin.. I mean, if the header was actually needed. – Sally CJ Commented Mar 16, 2021 at 11:49
  • 1 Sally CJ, this is part of what I figured out the day after posting the question. The embed code used is what's provided by a 'builder' from the vendor, so I assumed that was correct as they had generated it. What's really going on is that the individual who set the account up, set it up for the client's LIVE url, even though we're doing all our work in a staging environment with a different URL. So our staging/development URL isn't recognized and thus blocked. :-/ Sadly the vendor doesn't provide a means to change it, so we're stuck waiting for them to do it. – Tony Djukic Commented Mar 16, 2021 at 14:16
  • There is a secondary issue though in that the script they generate/provide via their 'builder' utility ends up generating an incorrect url to make it's call... it runs a search at service-domain/Client%20Company%20Name/?search which returns a 404, but if you edit the string manually and drop it into your browser as service-domain/clientcompanyname/?search you get the expected result. (Troubleshooting is exponentially more difficult when you've got multiple errors and you don't know if they're separate or if one is the cause of the other.) – Tony Djukic Commented Mar 16, 2021 at 14:19
  • "so we're stuck waiting for them to do it" - well then, I have no further comments on that.. But as for the secondary issue, although it seems easily fixable (programmatically), you should notify the vendor so that they could fix the issue ASAP. (Maybe their 'builder' is still in beta or something like that?)

    本文标签:

    版权声明:本文标题:plugins - Content-Security-Policy Headers are there and showing the correct settings, but still getting a refused connection 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741676959a2391937.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。