I have found many solutions to various situations with "refused to xyz" due to Content-Security-Policy Settings.
However I can't seem to find what might be wrong if '' gets refused.
The literal error message in the browser is
Refused to frame '' because it violates the following Content Security Policy directive: "frame-src *".
It only happens in Chrome. Loading the page in Firefox or Internet Explorer works just fine.
I set the following CSP(this is really one line. I put new lines in for readability):
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
frame-src 'self' *;
object-src 'none';
font-src 'self' data:;
Now it was my understanding that * means "everything". What is it that Chrome is showing me no love for?
Sidenote:
We have evaluated getting rid of 'unsafe-inline' and 'unsafe-eval' but we cannot at the moment. If this might be causing my problem please point out how. Otherwise I am aware that it's a security implication and we're workin on getting rid of it. For now it's here to stay.
Setting:
The webserver is an Apache:
# rpm -q httpd
httpd-2.4.6-80.el7.centos.1.x86_64
edit1
The error occurs when trying to open the client's mail program from within the website. The user clicks on a link and the mail program is supposed to open.
This might be why Chrome displays an empty string ('') as the blocked content.
Best Answer
Had exactly that problem today. I solved it by using
Btw. '*' is only a wildcard for urls. data: 'unsafe-inline' and 'unsafe-eval' have to be added individually.