0

Angular app with service worker. CSP headers were updated to add a new frame-src. Safari picked up the header change fine. Chrome is blocking the iframe content, and the details for the block in the console.log shows the old CSP headers, without the new entry to the frame-src. However, when I look at the headers in the network tab, I do see the updated headers.

I don't know if it is related to the service worker but I am assuming that is the case. I have a refresh prompt when a new update is available, so I can confirm that service worker update process is working.

I tried adding

 "cacheQueryOptions": {
        "ignoreVary": false
 },

to my ngsw-config.json because, well, it's header related at least, but Chrome is still using the cached headers.

I have also verified my CSP headers are valid using the Google CSP validator.

I'm not sure where to go from here.

Improve this question
1
  • @pinturic the selected answer is what worked for me; adding it to the index.html. Commented Jun 10, 2024 at 12:52

1 Answer 1

Reset to default
0

I don't know if this is so much an answer as it is a work-around, but I found something that worked for this case. I added the frame-src portion of my CSP as a meta tag in the index.html file:

<meta http-equiv="Content-Security-Policy" content="frame-src 'self' foo etc;"/>

And now Chrome is allowing the iframe content.

This is just a duplicate of what is already in the CSP headers, but apparently it is enough to get Chrome to stop using the old cached headers.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.