Wednesday, 14 June 2017

Content Security Policy (CSP): port in domain directive

For some reason most of documentation on Content Security Policy doesn't say anything about ports in directives. I found that CSP treats domains with different ports as absolutely different domains. If you have directive like frame-ancestors 'self' * - it will not work if your client embedding your application from, your directive should be frame-ancestors 'self' * * then.

It is also possible to use "star notation" for port: frame-ancestors 'self' **

See also: