In the documentation for Kentico 12 Preview, it says:
"Because the preview URLs could potentially be vulnerable to clickjacking attacks, the UsePreview feature automatically adds the Content Security Policy (CSP) HTTP response header with the frame-ancestors policy, and sets the Kentico administration site's domain as a valid source. This allows you to display previewed pages in the Kentico administration, while preventing embedding on any other domains."
I am using the MVC model - and have two URLs... admin.example.com (Kentico CMS App) and www.example.com (my .NET MVC website). This is what's configured on the "Site" in Kentico - admin.example.com (site domain name) and https://www.example.com (presentation URL), When I try to preview inside the admin, it does not work because Kentico adds the header (but it doesn't add the admin URL, so it's an invalid ancestor):
Content-Security-Policy: frame-ancestors 'self'
.
It says it's supposed to add the admin URL in here, but it's doesn't. I tried overwriting it with my own CSP policy:
Content-Security-Policy: frame-ancestors 'self' https://admin.example.com;
, but Kentico just adds a second one and it still doesn't work.
This is keeping users from being able to preview inside Kentico itself, but the preview works if they open it in another tab. So, it's just a minor annoyance.