Hello,
I've reached a speedbump in our upgrade from Flex Microform v0.4 to v2. After loading the Flex script, and mounting the CardNumber and CVV fields, we get a nasty CSP error from Cybersource, related to the mounted iframe.
Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-ancestors) at <unknown> because it violates the following directive: “frame-ancestors https://cybersource.com”
This is being implemented in a LWC/VF Page in Salesforce sandbox. It's my understanding that there’s nothing in Salesforce (or in our Visualforce/LWC code) that can override a third‑party iframe’s frame‑ancestors policy — that directive is sent by CyberSource’s servers and enforced by the browser. Is it true CyberSource has to whitelist our exact Salesforce origin in their frame‑ancestors CSP header?
Why is this not mentioned anywhere in the documentation. Any one else encountered this before?
These are the response headers coming back from testflex.cybersource.com:
HTTP/2 200
date: Wed, 19 Mar 2025 17:05:43 GMT
content-type: text/html;charset=utf-8
content-security-policy: frame-ancestors https://cybersource.com; default-src 'self'; connect-src 'self'; script-src 'self'; style-src 'unsafe-inline'; child-src 'none'; frame-src 'none'; img-src 'none'; font-src 'none'; media-src 'none'; object-src 'none'; report-uri /cybersource/microform/v1/violation-report;
x-content-type-options: nosniff
cache-control: no-store
expires: Thu, 01 Jan 1970 00:00:00 GMT
strict-transport-security: max-age=31536000
v-c-correlation-id: a3c7123b-a2c1-4d62-a27c-82fd18c90d62
x-opnet-transaction-trace: e682e054-d852-450a-b102-f23c7fba80da-22769-8892031
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 922e8e690995b7f2-MIA
content-encoding: br
X-Firefox-Spdy: h2
