No replies to this topic

[michael887]

I'm trying to load an external site in an iframe for my Firefox visitors. The external page is loaded with javascript, and I would like this to be stripped out. For Chrome, the HTML5 sandbox="" works perfectly, and with IE the security="restricted" does the job just fine. With Firefox, I'm struggling.

I've been using the CSP policy directive as described here, but I can't seem to get the right configuration. The following line will load the page, but the javascript on the external site still loads.

header("X-Content-Security-Policy: allow 'self'; object-src 'self'; script-src 'self'; frame-src *.externalsite.com; img-src 'self'");

I've tried dozens of other configurations and seem to have hit a brick wall. Will this work with the CSP directive? Should I look somewhere else to allow an external site to load in an iframe sans javascript in Firefox? Is this even possible in Firefox?