Content-Security-Policy: frame-ancestors preventing from saving page

Gustavo Quevedo asked on January 10, 2020 18:31

Hi all,

I'm experiencing a very strange error when editing a page on Kentico 12 SP MVC.

When I try to save any page and the HTML contained within one of its Rich text fields includes the text class. (note the period) I get a blank page on the right hand panel of the CMS and the page is not saved. This doesn't happen if I include a e.g. white space or an empty tag in between.

I have checked that Kentico returns the header Content-Security-Policy: frame-ancestors. only when the text above is included in a rich text editor.

See screenshot below:

Image Text

I've seen that the Kentico documentation mentions the header in a section related to the preview mode, but I don't think this is the same case:

https://docs.kentico.com/k12sp/developing-websites/retrieving-content-in-mvc-applications/adding-preview-mode-support#Addingpreviewmodesupport-Clickjackingprotectionandpreviewmode

I cannot debug the error as I can't recreate it locally because the header is not being sent locally for some reason.

Any help would be much appreciated.

Kind regards,

Gustavo

Correct Answer

Gustavo Quevedo answered on January 23, 2020 16:37

This problem was due to a filter set by default by the network provider to prevent attackers from exploiting a Java Struts 2 Vulnerability.

After this was disabled all worked as expected.

Therefore, nothing to do with Kentico.

0 votesVote for this answer Unmark Correct answer

Recent Answers

Zoltán Jalsovszky answered on January 13, 2020 08:25

Hi Gustavo!

There was a similar issue after releasing Kentico 12SP, which was already fixed in later hotfix versions. Can you please try installing the latest hotfix? Make sure that you upgrade the NuGet packages for your MC application as well.

1 votesVote for this answer Mark as a Correct answer

Gustavo Quevedo answered on January 15, 2020 18:27

Hi Zoltán,

Thanks for your reply.

I have installed the Hotfix 53 and upgraded Kentico NuGet packages to the version 12.0.53 but nothing seems to fix it.

Any other idea?

Thanks

Gustavo

0 votesVote for this answer Mark as a Correct answer

mike mathes answered on January 25, 2020 19:58 (last edited on January 25, 2020 20:00)

I have the same issue. Upgraded to Hotfix 55 and can't figure out how to configure Kentico to stop sending the frame-ancestors Content Security Policy. Adding the policy and setting it to 'none' just causes multiple Content Security Policy lines to get added to the http respnose.

Respnose Header looks like this and I still get the same error.

content-security-policy: frame-ancestors 'none'

content-security-policy: frame-ancestors 'self'

content-security-policy: frame-ancestors 'none'

0 votesVote for this answer Mark as a Correct answer

Dan Bendig answered on September 28, 2020 21:51

If anyone reaches this page because they are experiencing the same issue as Mike Mathes, please check that you have the CMSEnableClickjackingProtection application key in the MVC web.config set to false. See the docs for reference: https://docs.kentico.com/k12sp/configuring-kentico/reference-web-config-application-keys

I just went through troubleshooting this and wanted to comment here since this is the first result I hit when searching.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.