Cannot embed and use Streams -> Content Security Policy Issue

[JoshuaRussellJW]

The page’s settings blocked the loading of a resource (frame-ancestors) at because it violates the following directive: “frame-ancestors 'self'”

I am attempting to use the streams api to embed a third party's amazon connect into our site (they are working with us to do this, and have added our site to their accepted origins). When I attempt to load the page using this script:

var containerDiv = document.getElementById("container-div"); var instanceURL = "[Their Instance].my.connect.aws/ccp-v2"; // initialize the streams api function init() { // initialize the ccp connect.core.initCCP(containerDiv, { ccpUrl: instanceURL, // REQUIRED loginUrl: '[Their Instance Login URL]', softphone: { allowFramedSoftphone: true, } }); }

The iframe is prevented from loading and provides the above error. Is there something I need to instruct them to do on their end to allow embedding beyond our site being an accepted origin? Does the AWS accepted origins allow local host (for testing) also? I am doing this in dev locally on my machine.

[beallc]

The error message reported only lists self as option. This suggests that the origin has not been added. To support embedding, you must first allowlist the URL of your site. Localhost is supported but must be added the same as any other URL. Be sure that you match the correct scheme and port when doing so.

If that still is not working, you can troubleshoot by checking your frame-ancestors in the Content-Security-Policy response header when loading CCP. If correctly configured, you should find the exact match to your URL in that list.

[JoshuaRussellJW]

This is the list of allowed origins the client has provided me. It looks to me that they should be valid, but the frame-ancestors is still returning just self.

[ahzhezhe]

I'm getting the same issue with version 2.14.5 too, no issue with version 2.11.0

[bretticus-mc]

Is the Agent logged in? The origins won't be added to the CSP header until the Agent is logged in.

[JoshuaRussellJW]

@bretticus-mc Could you elaborate? What do you mean by the Agent being logged in? Is there a command I need to run before the agent.connect? I don't see any functions related to logging in the agent.

After a few refreshes of the embed, it does pop open a new window that I am able to login at, but that does not change the primary embed page which never resolves.

[ahzhezhe]

Is the Agent logged in? The origins won't be added to the CSP header until the Agent is logged in.

For me, yes, agent is logged in, but the approved origin is not included in CCP's CSP

[fmorissette]

Hello, This problems occurs for us before the user is logged in. The Approved Origin includes our domain, but it does not seem to have an effect before the agent logs in. Many times, the login pop-up does not even show. Does anyone know of a reliable way of displaying the frame? Thank you.

[denisstepanenko]

the CSP issue is normal when the iframe is not authenticated, especially if you're using SAML to authenticate, presume this is because to login you'd need to load the IdP's page and that for security reasons should not be iframable. However, if you're seeing this issue after logging in it's probably because the iframe is not able to access the cookies from the login window.

if you're on Chrome, check whether your amazon cookies are blocked as per this: https://docs.aws.amazon.com/connect/latest/adminguide/3pcookies.html

If you're on Firefox, check your "Enhanced Tracking Protection" configuration as "Standard" can block cookies created by other windows. For testing you can try selecting "Custom" and unchecking the "Cookies" checkbox. Obviously this means you can be cross-site tracked but that might be an acceptable compromise.