iframe - CSP: Neither child-src nor frame-src is working in Firefox 84.0.2

Question

I am working with firefox version 84.0.2 . I am creating a node web application hosted at https://parent.example.com which is configured to return response header as : Content-Security-Policy: frame-src https://child.example.com . But I am able to open URLs in iframe other than https://child.example.com from https://parent.example.com in firefox.

But as the header suggest it should get blocked. The same thing is working fine in chrome.

I made a couple of research and found out that there is confusion between CSP:frame-src and CSP:child-src . and somewhere it was suggested to use both headers. (ref: How to use frame-src and child-src in Firefox and other browsers? and ). Therefore, I added both the directives as: Content-Security-Policy: frame-src https://child.example.com; child-src https://child.example.com But still, I get no success. So, could anyone let me know how to let things work in firefox ?

Answer 1

You have in Firefox some plugin installed which affects CSP header.
Because Firefox 84 definitely blocks any iframes not allowed in the frame-src directive.

Could you show me your HTML where frame-src does not work as intended?