Content-Security-Policy frame-ancestors issue after installing Sitecore Horizon


Description

When using the HTTP Content-Security-Policy (CSP) response header, Sitecore Horizon overwrites default settings of the frame-ancestors directive that have been set in the web.config file on the Content Management (CM) instance. This prevents a page from being rendered within a frame or iframe

Solution

To resolve the issue, align web.config settings with Horizon configuration as follows:

Configuration file examples

Example of configuration files before aligning:

CM web.config file:

<location path="sitecore">
    <system.webServer>
      <httpProtocol>
        <customHeaders>
        <add name="Content-Security-Policy" value="frame-ancestors 'self' https://a.com https://b.com" />
        </customHeaders>
      </httpProtocol>
</system.webServer>

Horizon configuration file:

<setting name="Horizon.ClientHost" value="<your horizon site>" />
 
<collectIFrameAllowedDomains>
            <processor type="Sitecore.Horizon.Integration.Pipelines.CollectIFrameAllowedDomains.AddDomains, Sitecore.Horizon.Integration" resolve="true">
              <allowedDomains hint="list:AddDomain">
                <domain>'self'</domain>
                <domain>c.com</domain>
               <domain>d.com</domain>
              </allowedDomains>
            </processor>
            <processor type="Sitecore.Horizon.Integration.Pipelines.CollectIFrameAllowedDomains.AddHorizonClientHost, Sitecore.Horizon.Integration" resolve="true" />
</collectIFrameAllowedDomains>

 

Example of configs after aligning:

CM web.config file:

<location path="sitecore">
    <system.webServer>
      <httpProtocol>
        <customHeaders>
        <add name="Content-Security-Policy" value="frame-ancestors 'self' <your horizon site> https://a.com https://b.com https://c.com https://d.com" />
        </customHeaders>
      </httpProtocol>
</system.webServer>

Horizon configuration file:

<setting name="Horizon.ClientHost" value="<your horizon site>" />
<collectIFrameAllowedDomains>
            <processor type="Sitecore.Horizon.Integration.Pipelines.CollectIFrameAllowedDomains.AddDomains, Sitecore.Horizon.Integration" resolve="true">
              <allowedDomains hint="list:AddDomain">
                   <domain>'self'</domain>
                   <domain>a.com</domain>
                  <domain>b.com</domain>
                  <domain>c.com</domain>
                  <domain>d.com</domain>
              </allowedDomains>
            </processor>
            <processor type="Sitecore.Horizon.Integration.Pipelines.CollectIFrameAllowedDomains.AddHorizonClientHost, Sitecore.Horizon.Integration" resolve="true" />
</collectIFrameAllowedDomains>