Connection problem: refused to frame '' because it violates the following content security policy directive default-src
Officially AnsweredSome of our remote users are getting this error:
I suspect this is not an actual problem with Timetracker, but I wondered if you had seen it before and could advise?
-
Hello, SImon
Thank you for your message.
This is the CSP policy restriction. CSP policies are blocking attempts at loading content from domains outside of the ones whitelisted in the CSP policy. To prevent this you need to add appropriate CSP header in your server IIS.
Here the article about how to add header in IIS - https://www.reflections-ibs.com/blog/article/hardening-your-http-response-headers-in-iis-server-security-headers
To allow loading all kind of content you can try to add header like - Content-Security-Policy: default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'
I strongly recommend studying this topic about CSP policy in more depth. I just gave you an example
But the main cause may be http/https combination. Both TFS and Timetracker should have either http or https
Best Regards
Dmitrii Vavel
Please sign in to leave a comment.
Comments
1 comment