Remove From My Forums

How to set unique content-security-policy response header for each page

Question
0

Sign in to vote

User-1315793439 posted

We have a videos website much like Youtube. Our site allows other users to embed our videos in their sites using the iframe , again much like youtube.
When our website is framed i.e when it is run in another website we don't want any area of the website to be navigable other than the video.

The planned approach:
Set frame-ancestor content-security-policy value to * on the video page.
Disallow other pages to be accessed from the frame by keeping frame-ancestor to 'self'

Also how can we specify different content-security-policy directive for each page.

Is this a right approach or we can have something more effective that achieves the goal.

Friday, March 18, 2016 12:27 PM

Answers

0

Sign in to vote
User614698185 posted

Hi invincible,

I think you could determine the request domain in the BeginRequest Event. If you get the different domain, it will display the video's content, others don't display.

Please see: https://msdn.microsoft.com/en-us/library/system.web.httpapplication.beginrequest(v=vs.110).aspx

Best Regards,

Candice Zhou
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Monday, March 21, 2016 10:16 AM