Select to view content in your preferred language

Allow the addition of trusted servers for Content Security Policy headers

01-17-2021 02:00 PM
Status: Open
Occasional Contributor III


Currently trying to return popups from WMS layer can fail if the WMS comes from certain sources.


From Chrome console:

Refused to frame '' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' * *".

From Chrome Issues:

Content Security Policy of your site blocks some resources because their origin is not included in the content security policy header
The Content Security Policy (CSP) improves the security of your site by defining a list of trusted sources and instructs the browser to only execute or render resources from this list. Some resources on your site can't be accessed because their origin is not listed in the CSP.

To solve this, carefully check that all of the blocked resources listed below are trustworthy; if they are, include their sources in the content security policy of your site. You can set a policy as a HTTP header (recommended), or via an HTML <meta> tag.

:warning: Never add a source you don't trust to your site's Content Security Policy. If you don't trust the source, consider hosting resources on your own site instead.

1 directive
Resource	Status	Directive	Source code	blocked	frame-ancestors	
Learn more: Content Security Policy - Source Allowlists

If we could add the domains of those WMS layers to a list of domains that are included in CSP headers then the popups would load.  This could be done:

  1. In the map settings
  2. automatically when a WMS is added to content/map
  3. Manually on a per layer setting
  4. In the organisation settings for servers that are particularly trustworthy.

My preference is in the map - so you add a WMS service, and then if the popup isn't loading you can define the server in the map settings that should be allowed and then it is included in the headers when the map loads.