ERROR - Content Security Policy directive - Help!

Hi All,

Getting this error on a bunch of embedded customer sites this morning… does anyone know what it means? Everything was working perfectly yesterday :frowning:

Refused to frame '' because an ancestor violates the following Content Security Policy directive: "frame-ancestors

Hello @dmarcus thanks for your question.

From the error you are getting I would say that the CSP in your website is restricting the content that your web application can embed using iframes (which is the underlying technology used on QS embedding).

Can you review your website CSP to see which is the policy you have applied?

CSP can be implemented either on the server side (returning the Content-Security-Policy HTTP header) or by setting it via a meta element

  content="default-src 'self'; img-src https://*; child-src 'none';" />

If this changed suddenly from one day to another I would suggest you to contact the application owner of the website you are embedding QS on or your security team as they should be able to shed some light on any changes to CSP that might have happened recently.

Hope this helps you to find the root cause of the issue.

Kind regards and happy dashboarding!


Thanks @EnriqueS for your rapid reply to @dmarcus.

@dmarcus, one of our PMs also suggested embedding domains to the allow list. Here is the documentation- Adding domains for embedded analytics - Amazon QuickSight

1 Like

Hi Daniel,

As Enrique recommended please review your security policies for application website, to see if there is no such policy applied to block content from QuickSight (

you can allow-list your application domain to QuickSight using QuickSight ADMIN user. Detail step to enable is in following link: Allow listing static domains - Amazon QuickSight


@dmarcus Did this get resolved for you? Hope so. Keep us posted.

1 Like

So… it magically fixed itself… which I’m happy about, but also very unsettling sat the same time

I’m having same error. But in quicksight settings I have enabled everything public and allowed all domains such as salesforce and specific urls. Any further thoughts?

@japeter89 Were you able to fix this? I’m having the same problem.

@jafisher84 , I dont know if this is still an issue but I ended up taking a different route by using the link instead of the complete code for the iframe. and I beleive I needed to allow list all urls I was putting it in.

1 Like