manueltomasir

do i need that entire url in the frame-ancestors?

manueltomasir
  1. Refused to load https://www.facebook.com/v3.3/plugins/customerchat.php?app_id=&attribution=setup_tool&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D44%23cb%3Df17552615cec0a2%26domain%3Dgreatwestradon.com%26origin%3Dhttps%253A%252F%252Fgreatwestradon.com%252Ff1e38712eb50ffe%26relation%3Dparent.parent&container_width=0&locale=en_US&logged_in_greeting=Hi!%20Feel%20free%20to%20ask%20us%20a%20question%20as%20you%20explore!&logged_out_greeting=Hi!%20Feel%20free%20to%20ask%20us%20a%20question%20as%20you%20explore!&page_id=774170459596443&sdk=joey&theme_color=%23009bd1 because it does not appear in the frame-ancestors directive of the Content Security Policy.
manueltomasir

coming through on the logo.svg request now as well

manueltomasir

Content-Security-Policy: default-src 'self'; script-src 'self' *.http://facebook.com 'unsafe-inline' frame-ancestors https://www.facebook.com/;

manueltomasir

ok i've got this setup now via my htaccess file in the /public dir

manueltomasir

you mentioned seeing CSP headers on that domain in the network tab...I can't see any, where did you see that?