When using the HTTP Content-Security-Policy (CSP) response header, Sitecore Horizon overwrites default settings of the frame-ancestors directive that have been set in the web.config file on the Content Management (CM) instance. This prevents a page from being rendered within a frame or iframe.
To resolve the issue, align web.config settings with Horizon configuration as follows:
Example of configuration files before aligning:
CM web.config file:
<location path="sitecore">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' https://a.com https://b.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
Horizon configuration file:
<setting name="Horizon.ClientHost" value="<your horizon site>" />
<collectIFrameAllowedDomains>
<processor type="Sitecore.Horizon.Integration.Pipelines.CollectIFrameAllowedDomains.AddDomains, Sitecore.Horizon.Integration" resolve="true">
<allowedDomains hint="list:AddDomain">
<domain>'self'</domain>
<domain>c.com</domain>
<domain>d.com</domain>
</allowedDomains>
</processor>
<processor type="Sitecore.Horizon.Integration.Pipelines.CollectIFrameAllowedDomains.AddHorizonClientHost, Sitecore.Horizon.Integration" resolve="true" />
</collectIFrameAllowedDomains>
Example of configs after aligning:
CM web.config file:
<location path="sitecore">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' <your horizon site> https://a.com https://b.com https://c.com https://d.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
Horizon configuration file:
<setting name="Horizon.ClientHost" value="<your horizon site>" />
<collectIFrameAllowedDomains>
<processor type="Sitecore.Horizon.Integration.Pipelines.CollectIFrameAllowedDomains.AddDomains, Sitecore.Horizon.Integration" resolve="true">
<allowedDomains hint="list:AddDomain">
<domain>'self'</domain>
<domain>a.com</domain>
<domain>b.com</domain>
<domain>c.com</domain>
<domain>d.com</domain>
</allowedDomains>
</processor>
<processor type="Sitecore.Horizon.Integration.Pipelines.CollectIFrameAllowedDomains.AddHorizonClientHost, Sitecore.Horizon.Integration" resolve="true" />
</collectIFrameAllowedDomains>