Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-33933

Sites using CSP frame-ancestors do not seem to be detected correctly

    Details

    • Type: Bug
    • Status: OPEN
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 12.0, 19.0
    • Fix Version/s: None
    • Component/s: Web Content
    • Labels:
      None
    • Test Plan:
      Hide
      • Save the site

      Expected: CNN either opens in the frame or offers to open in a new site
      Actual: Blank window with error in console.

      Show
      Add a Web Content tool to a site As the URL use https://www.cnn.com Save the site Expected: CNN either opens in the frame or offers to open in a new site Actual: Blank window with error in console.

      Description

      I believe there's a bug with the web content "Open in New Window" Detection with CSP. When using "https://www.cnn.com" it doesn't detect that it needs a new window.

      The web console says:

      Refused to display 'https://www.cnn.com/' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' *.cnn.com:* *.turner.com:* courageousstudio.com".
      

      http://www.cnn.com IS correctly detected.

      I also think like LSNBLDR-937 it should be either removing the option entirely and/or telling the user why they can't leave the pages open in the same window.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  maintenanceteam Core Team
                  Reporter:
                  jonespm Matthew Jones
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:

                    Git Source Code