Override Content Security Policy not working

sufian.mughal

i need to run mattermost in iframe and overriding the

Content Security Policy
Setting this option will override any CSP headers sent by the app itself

i am trying to override to "frame-ancestors 'xyz.zyz';

can anyone help in this regard

nebulon

Have you seen the documentation for this at https://docs.cloudron.io/apps/#custom-csp ?

sufian.mughal

@nebulon yes i tried exactly but its not working

nebulon

I just tried this on a fresh installation and I can see the CSP header correctly sent after configuring it through the Cloudron dashboard. Can you maybe curl the page with -v and check the sent headers there?

girish

Looks like https://forum.mattermost.com/t/recipe-embedding-mattermost-in-web-applications-using-an-iframe-unsupported-recipe/10233 is the latest recipe.

girish

Configure mattermost like so:

Then in surfer app (the app configured above), use the following code:

<!DOCTYPE html>
<html>

<body style="text-align: center">
	<iframe src="https://mattermost.smartserver.io" height="200" width="400">
	</iframe>
</body>

</html>

The going to surfer.smartserver.io, I get: