Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

CSP frame-src issue when set iframe src SignOutIframeUrl in the view. #1380

Closed
singlewind opened this issue Aug 2, 2017 · 5 comments
Closed
Labels

Comments

@singlewind
Copy link

Chrome won't load iframe because the endsession endpoint contains html try to load a client page inside a frame which is different url

@brockallen
Copy link
Member

This is true if they're mixed schemes (http/https). Might that be the issue?

@singlewind
Copy link
Author

singlewind commented Aug 3, 2017

@brockallen I was thinking it is possible to add a content-security-policy header for endsession endpoint which just specify the frame-src , which is the embedded url. Do you think whether there is any security concern? It is may not just http/https. The client domain can be different as well.

@brockallen
Copy link
Member

Actually, we'll be making a change related to this: #1224

@brockallen
Copy link
Member

Closing this as dup of #1224

@lock
Copy link

lock bot commented Jan 14, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants