CSP - frame-ancestor

Refused to frame ‘https://eu-west-2.quicksight.aws.amazon.com/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors https://us-central1-myFunction.cloudfunctions.net”.

Hi and thank you for taking a look at my issue. I have read all the other topics posted on this issue but still haven’t been able to rectify it. This only applies to the Q Bar; my dashboards load fine in an iFrame in the same page.

I had this working without problems until I deleted my Topic and created a new one. I can confirm that I can retrieve the URL of the QBar just fine. I have also followed the advice of adding the CSP directive to my function (code below).

However, my assumption is this on my page’s server, which I am serving from Firebase hosting, and I have added a CSP response header there too, although it’s strange that this would now be required considering it worked before.

So, I am posting this in case I missed something when I created the new topic. Any advice would be really appreciated. Thank you…

const setCSPHeader = (response) => {
  response.set('Content-Security-Policy', "frame-ancestors 'self' https://us-central1-myFunction.cloudfunctions.net https://eu-west-2.quicksight.aws.amazon.com");
};```

Hi @richardhamlyn,

Thanks for posting your question here. Can you confirm if

  • the new topic was created in the same region as the old one and
  • is the region the same as the region where the working dashboards are that you refer to?

Many Thanks,
Andrew

Hi Andrew, thank you for replying. I can confirm that my topic is in the same region and the old topic was in this region too.

Hi @richardhamlyn,

So all assets in are the same region? Even the dashboards as mentioned above?

Many Thanks,
Andrew

1 Like

The problem was that I was trying to set the allowed domains in the ExperienceConfiguration, as well as in my IAM. When I removed the following from my code I was able to embed fine:

AllowedDomains: ['https://mysite.com', 'https://mysite2.com']
1 Like