3,281 questions
Invalid Content-Security-Policy Header when using Custom Policy with JourneyFraming
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 27%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
StefanWHel
1
Reputation point
I'm looking into embedding the Azure AD B2C sign-in page in an Iframe in my SPA. Following the documentation, I have added my domains (MYDOMAIN1, MYDOMAIN2) in the JourneyFraming element of my Custom Policy. The authentication works - however, there are a number of errors in my browser's console that stop me from going to production with this solution. One error in particular is this:
The Sign-In page (/authorize) returns the following invalid HTTP Header:
Content-Security-Policy: script-src 'strict-dynamic' 'self' 'nonce-6MJayq01+GIeI1e4EsWB0w==' 'report-sample'; report-uri /MYTENANT.onmicrosoft.com/B2C_1A_MYPOLICY/client/cspreport?p=B2C_1A_MYPOLICY frame-ancestors https://MYDOMAIN1.COM https://MYDOMAIN2.COM
According to MDN, the directives must be semicolon-separated. The semicolon is missing after the 'report-uri' directive, though.
This leads to a HTTP POST of the CSP Report to each of those URLs:
- https://MYTENANT.b2clogin.com/MYTENANT.onmicrosoft.com/B2C_1A_MYPOLICY/client/cspreport?p=B2C_1A_MYPOLICY (this is desired, I guess)
- https://MYTENANT.b2clogin.com/MYTENANT.onmicrosoft.com/B2C_1A_MYPOLICY/oauth/v2.0/**frame-ancestors**
- https://MYDOMAIN1.COM
- https://MYDOMAIN2.COM
Obviously, these calls return HTTP 404/405...
This is a very ugly bug - unless I'm doing something wrong?
The relevant config in the Custom Policy is:
<RelyingParty>
...
<UserJourneyBehaviors>
<JourneyFraming Enabled="true" Sources="https://MYDOMAIN1.COM https://MYDOMAIN2.COM" />
</UserJourneyBehaviors>
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator2022-06-24T05:20:41.197+00:00 Hi @StefanWHel ,
Apologies for misunderstood the question here.
This error is already under the discussion, and we are checking internally on this as well.I found the stack flow reference for the same - https://stackoverflow.com/questions/69799461/content-security-policy-error-on-login-azure-b2c-pages
Hope this will help to understand the issue.
I accidently deleted your comment while editing mine as it was under that. Trying to recover that.
Thanks,
Shweta -
StefanWHel 1 Reputation point
2022-06-24T05:56:24.803+00:00 Dear @Shweta Mathur
Thanks for getting back to me again.
The SO link that you shared covers one part of the problem ("Refused to run the JavaScript URL because it violates the Content Security Policy directive"). But the main issue that I was trying to raise with this thread is the following:
The HTTP Response Header like this is invalid:
Content-Security-Policy: script-src 'strict-dynamic' 'self' 'nonce-6MJayq01+GIeI1e4EsWB0w==' 'report-sample'; report-uri /MYTENANT.onmicrosoft.com/B2C_1A_MYPOLICY/client/cspreport?p=B2C_1A_MYPOLICY frame-ancestors https://MYDOMAIN1.COM https://MYDOMAIN2.COMThis leads to different errors than the one above, namely it leads to a HTTP POST of the CSP Report to each of those URLs which is undesired / completely wrong:
- https://MYTENANT.b2clogin.com/MYTENANT.onmicrosoft.com/B2C_1A_MYPOLICY/oauth/v2.0/**frame-ancestors
- https://MYDOMAIN1.COM
- https://MYDOMAIN2.COM**
The reason for it being that in the shown CSP Header, a semicolon (";") is missing after the 'report-uri' directive. This means the 'frame-ancestors' directive is interpretet as additional URIs for the 'report-uri' directive.
- See the MDN doc about the Content-Security-Policy here, which states that the directives shall be semicolon-separated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- Documentation about 'report-uri' directive: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
- See also 'frame-ancestors': https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 79%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBA%3C/text%3E%3C/svg%3E)
Balaji A 0 Reputation points2024-05-02T16:35:03.2266667+00:00 Hi,
Could you explain what changes you made in b2c custom policy to include nonce value in Content-security-policy header ?
Thanks in advance !
-
StefanWHel 1 Reputation point
2024-05-03T05:33:27.3633333+00:00 Hi there,
If you're asking me, I have no idea. I did not specifically enable this; at least not knowingly.
Sorry to not be able to help.
Sign in to comment
Sign in to answer