Fix - 'frame-ancestors' does not support ''unsafe-inline'

[KeyShang]

Description (*)

The wrong setting will cause a Chrome console error: The Content-Security-Policy directive 'frame-ancestors' does not support the source expression ''unsafe-inline''.

The frame-ancestors directive’s syntax is similar to a source list of other directives (e.g. default-src), but doesn't allow 'unsafe-eval' or 'unsafe-inline'.

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors#sources

Related Pull Requests

Fixed Issues (if relevant)

1. Fixes The Content-Security-Policy directive 'frame-ancestors' does not support the source expression ''unsafe-inline'' #33101

Manual testing scenarios (*)

1. Newly installed Magento 2.4, go to homepage, open the Chrome(version 91) console, you will see the error msg: The Content-Security-Policy directive 'frame-ancestors' does not support the source expression ''unsafe-inline''.
2. After apply my changes, clear the Magento cache, refresh the homepage, the Chrome console error is gone.

Questions or comments

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• All automated tests passed successfully (all builds are green)

[m2-assistant]

Hi @KeyShang. Thank you for your contribution
Here are some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

• @magento give me test instance - deploy test instance based on PR changes
• @magento give me 2.4-develop instance - deploy vanilla Magento instance

❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names. Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE,
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here

ℹ️ Please run only needed test builds instead of all when developing. Please run all test builds before sending your PR for review.

For more details, please, review the Magento Contributor Guide documentation.

⚠️ According to the Magento Contribution requirements, all Pull Requests must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of Pull Requests happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[KeyShang]

@magento run all tests

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[KeyShang]

@magento run all tests

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[mrtuvn]

@magento run Functional Tests CE, Functional Tests EE, Functional Tests B2B

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[mrtuvn]

@magento run Functional Tests CE, Functional Tests EE, Functional Tests B2B

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[KeyShang]

@magento run Functional Tests CE, Functional Tests EE, Functional Tests B2B

Hi, I signed the Abobe CLA, but it still said "No signed agreements were found. Please sign the Adobe CLA! Once signed, close and re-open your pull request".

[mrtuvn]

Make sure you use correct signed CLA account for pull request

[mrtuvn]

failed test Functional Tests CE seem not related with pull request update

[KeyShang]

Make sure you use correct signed CLA account for pull request
You are right, it is working now, thanks.

[KeyShang]

failed test Functional Tests CE seem not related with pull request update

Yes, the pull request is a small change about CSP, there shouldn't be any problem.

[magento-engcom-team]

Hi @eduard13, thank you for the review.
ENGCOM-9125 has been created to process this Pull Request

[mrtuvn]

Hi @KeyShang Can you update pull resquest description and update issue ID related ?
See Fixed Issues (if relevant)

[mrtuvn]

@magento run Functional Tests CE

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[KeyShang]

Hi @KeyShang Can you update pull resquest description and update issue ID related ?
See Fixed Issues (if relevant)

Add it now.

[mrtuvn]

@magento run Functional Tests CE

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[engcom-Hotel]

@magento run Functional Tests CE

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[engcom-Hotel]

✔️ QA Passed

This PR has fix related to the error that comes in the console of Chrome V91 (or greater than) as below:

The Content-Security-Policy directive 'frame-ancestors' does not support the source expression ''unsafe-inline''

Before fix we are getting the above error, please find the screenshot below for reference:

After the fix, we are not getting such error in the console, please find the below screenshot for reference:

Thanks for the contribution @KeyShang

[m2-assistant]

Hi @KeyShang, thank you for your contribution!
Please, complete Contribution Survey, it will take less than a minute.
Your feedback will help us to improve contribution process.

[lytesaber]

Is there any indication when this fix will be added into a Magento release? This fix isn't part of the recent 2.4.3 release which still throws the same "The Content-Security-Policy directive 'frame-ancestors' does not support the source expression ''unsafe-inline''" error. Will this be part of a 2.4.3-p1 or 2.4.4 release?

[hostep]

@lytesaber: One of the two lines that changed in this PR is part of 2.4.3-p1. If that's enough to fix this problem, I'm not sure though.
But it's mentioned on the unpublished release notes for 2.4.3-p1

So it sounds like it will be fixed in 2.4.3-p1, but best is probably to double check after it gets released tomorrow.

[simonmaass]

I just updated 2.4.3 to 2.4.3-p1 and this issue still exists