Hi - I have a site with an Access policy In front of it. This site is embedded in an iframe but doesn’t work due to the following error:

Refused to frame 'https://XXXX.cloudflareaccess.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

I’ve used Fiddler, and when I hit my app, I get 302 redirected to the cloudflare access portal above (which is to be expected), but frame-ancestors header comes back as:

frame-ancestors 'none'; connect-src http://127.0.0.1:*; default-src https: 'unsafe-inline'

I can’t find any setting for me to alter this, so I’m guessing CF is enforcing it through Access? I am struggling to create a ticket at the moment so hopefully someone can help with this.

Thanks in advance

For posterity you can find the documentation for CORS w/ Access in our Developer Docs

Also for anyone who finds this topic, Cloudflare do not support having CF Access protected pages within an iframe. I suggested they add this to their docs to people aren’t surprised by it. Disappointing as it meant one of our key planned implementations of this technology couldn’t be achieved.