ERROR - Content Security Policy directive - Help!

dmarcus · October 18, 2022, 1:51pm

Hi All,

Getting this error on a bunch of embedded customer sites this morning… does anyone know what it means? Everything was working perfectly yesterday

Refused to frame 'https://us-east-2.quicksight.aws.amazon.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors

EnriqueS · October 18, 2022, 3:50pm

Hello @dmarcus thanks for your question.

From the error you are getting I would say that the CSP in your website is restricting the content that your web application can embed using iframes (which is the underlying technology used on QS embedding).

Can you review your website CSP to see which is the policy you have applied?

CSP can be implemented either on the server side (returning the Content-Security-Policy HTTP header) or by setting it via a meta element

<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; img-src https://*; child-src 'none';" />

If this changed suddenly from one day to another I would suggest you to contact the application owner of the website you are embedding QS on or your security team as they should be able to shed some light on any changes to CSP that might have happened recently.

Hope this helps you to find the root cause of the issue.

Kind regards and happy dashboarding!

Kristin · October 18, 2022, 3:58pm

Thanks @EnriqueS for your rapid reply to @dmarcus.

@dmarcus, one of our PMs also suggested embedding domains to the allow list. Here is the documentation- Adding domains for embedded analytics - Amazon QuickSight

AnwarAli · October 18, 2022, 4:57pm

Hi Daniel,

As Enrique recommended please review your security policies for application website, to see if there is no such policy applied to block content from QuickSight (https://us-east-2.quicksight.aws.amazon.com/)

you can allow-list your application domain to QuickSight using QuickSight ADMIN user. Detail step to enable is in following link: Allow listing static domains - Amazon QuickSight

Kristin · October 18, 2022, 7:21pm

@dmarcus Did this get resolved for you? Hope so. Keep us posted.

dmarcus · October 18, 2022, 7:32pm

So… it magically fixed itself… which I’m happy about, but also very unsettling sat the same time

japeter89 · December 12, 2023, 8:59pm

I’m having same error. But in quicksight settings I have enabled everything public and allowed all domains such as salesforce and specific urls. Any further thoughts?

jafisher84 · April 9, 2024, 3:51am

@japeter89 Were you able to fix this? I’m having the same problem.

japeter89 · April 15, 2024, 6:10pm

@jafisher84 , I dont know if this is still an issue but I ended up taking a different route by using the link instead of the complete code for the iframe. and I beleive I needed to allow list all urls I was putting it in.