SOLVED

Content Security Policy interaction with Forms

Copper Contributor

Hello everybody, 

I got a responsiveness issue when trying to implement the Forms-link into an iframe in my .html file. When declaring the content security policy through the frame-src tag with my respective link provided by Forms the implementation works just fine, but once the site triggers the media query for the mobile version the Forms iframe stops being responsive . What could the issue be? I assume the content security policy restricts some resource needed for the proper implementation of Forms but that specific resource is not fetched via the Forms-link and instead needs to be retrieved from somewhere else. 

 

Thank you in advance. 

2 Replies
best response confirmed by bensom0 (Copper Contributor)
Solution

Hi @bensom0,

The issue you are facing is likely caused by the fact that the Forms iframe is attempting to load resources that are not explicitly allowed by the Content Security Policy (CSP). The CSP is a security feature that helps to protect your website from malicious code by restricting the types of resources that can be loaded.

When you declare the CSP through the frame-src tag, you are explicitly allowing the Forms iframe to load resources from the Forms domain. However, once the site triggers the media query for the mobile version, the Forms iframe may attempt to load resources from other domains, such as the Microsoft Office domain. If these domains are not explicitly allowed in the CSP, then the Forms iframe will not be able to load the resources and will not be displayed properly.

To fix this issue, you need to explicitly allow the Forms iframe to load resources from all of the domains that it needs to access. You can do this by adding the following domains to the frame-src tag in your CSP:

 

frame-src https://*.microsoft.com https://*.forms.office.com

 

 

This will allow the Forms iframe to load resources from all of the domains that it needs to access, regardless of whether the site is in desktop or mobile mode.

Here are some links to resources on CSP:

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic

Hi Leon,
thank you very much for your outstandingly helpful reply.

Best Regards,
bensom0
1 best response

Accepted Solutions
best response confirmed by bensom0 (Copper Contributor)
Solution

Hi @bensom0,

The issue you are facing is likely caused by the fact that the Forms iframe is attempting to load resources that are not explicitly allowed by the Content Security Policy (CSP). The CSP is a security feature that helps to protect your website from malicious code by restricting the types of resources that can be loaded.

When you declare the CSP through the frame-src tag, you are explicitly allowing the Forms iframe to load resources from the Forms domain. However, once the site triggers the media query for the mobile version, the Forms iframe may attempt to load resources from other domains, such as the Microsoft Office domain. If these domains are not explicitly allowed in the CSP, then the Forms iframe will not be able to load the resources and will not be displayed properly.

To fix this issue, you need to explicitly allow the Forms iframe to load resources from all of the domains that it needs to access. You can do this by adding the following domains to the frame-src tag in your CSP:

 

frame-src https://*.microsoft.com https://*.forms.office.com

 

 

This will allow the Forms iframe to load resources from all of the domains that it needs to access, regardless of whether the site is in desktop or mobile mode.

Here are some links to resources on CSP:

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic

View solution in original post