https://community.developer.cybersource.com/t5/cybersource-APIs/Microform-V2-Integration-CSP-Frame-Ancestors-issue-Sandbox/m-p/91453#M2174 <P>Seems it was related to the TargetOrgins[] passed over in the initial Capture Context. For now - Hard-coded to our SF VF Page url and seems to resolve all this confusion.</P> Wed, 19 Mar 2025 17:42:12 GMT mdennis 2025-03-19T17:42:12Z https://community.developer.cybersource.com/t5/cybersource-APIs/Microform-V2-Integration-CSP-Frame-Ancestors-issue-Sandbox/m-p/91452#M2173 <P>Hello,<BR /><BR />I've reached a speedbump in our upgrade from Flex Microform v0.4 to v2. After loading the Flex script, and mounting the CardNumber and CVV fields, we get a nasty CSP error from Cybersource, related to the mounted iframe.<BR /><BR /><FONT face="courier new,courier"><STRONG>Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-ancestors) at &lt;unknown&gt; because it violates the following directive: “frame-ancestors </STRONG></FONT><A href="https://cybersource.com”" target="_blank" rel="noopener"><FONT face="courier new,courier"><STRONG>https://cybersource.com”</STRONG></FONT></A><BR /><BR />This is being implemented in a LWC/VF Page in Salesforce sandbox. It's my understanding that there’s nothing in Salesforce (or in our Visualforce/LWC code) that can override a <STRONG>third‑party iframe’s</STRONG> frame‑ancestors policy — that directive is sent by CyberSource’s servers and enforced by the browser. Is it true CyberSource has to whitelist our exact Salesforce origin in their frame‑ancestors CSP header?<BR /><BR />Why is this not mentioned anywhere in the documentation. Any one else encountered this before?<BR /><BR />These are the response headers coming back from testflex.cybersource.com:<BR /><BR /><FONT face="courier new,courier"><STRONG>HTTP/2 200 </STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>date: Wed, 19 Mar 2025 17:05:43 GMT</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>content-type: text/html;charset=utf-8</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>content-security-policy: frame-ancestors <A href="https://cybersource.com" target="_blank" rel="noopener">https://cybersource.com</A>; default-src 'self'; connect-src 'self'; script-src 'self'; style-src 'unsafe-inline'; child-src 'none'; frame-src 'none'; img-src 'none'; font-src 'none'; media-src 'none'; object-src 'none'; report-uri /cybersource/microform/v1/violation-report;</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>x-content-type-options: nosniff</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>cache-control: no-store</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>expires: Thu, 01 Jan 1970 00:00:00 GMT</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>strict-transport-security: max-age=31536000</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>v-c-correlation-id: a3c7123b-a2c1-4d62-a27c-82fd18c90d62</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>x-opnet-transaction-trace: e682e054-d852-450a-b102-f23c7fba80da-22769-8892031</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>cf-cache-status: DYNAMIC</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>server: cloudflare</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>cf-ray: 922e8e690995b7f2-MIA</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>content-encoding: br</STRONG></FONT><BR /><FONT face="courier new,courier"><STRONG>X-Firefox-Spdy: h2</STRONG></FONT></P> Wed, 19 Mar 2025 17:14:58 GMT https://community.developer.cybersource.com/t5/cybersource-APIs/Microform-V2-Integration-CSP-Frame-Ancestors-issue-Sandbox/m-p/91452#M2173 mdennis 2025-03-19T17:14:58Z https://community.developer.cybersource.com/t5/cybersource-APIs/Microform-V2-Integration-CSP-Frame-Ancestors-issue-Sandbox/m-p/91453#M2174 <P>Seems it was related to the TargetOrgins[] passed over in the initial Capture Context. For now - Hard-coded to our SF VF Page url and seems to resolve all this confusion.</P> Wed, 19 Mar 2025 17:42:12 GMT https://community.developer.cybersource.com/t5/cybersource-APIs/Microform-V2-Integration-CSP-Frame-Ancestors-issue-Sandbox/m-p/91453#M2174 mdennis 2025-03-19T17:42:12Z