I’m trying to implement a twitch embedded player to my loading-screen, everything’s working fine on a local server and a browser but when connecting to my fxserver i get this error : Refused to frame 'https://player.twitch.tv/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://127.0.0.1:* https://127.0.0.1:* https://cfx-nui-loadingscreen".
It seems like this is caused because of the parent option i need to specify to every other domains related but i don’t know what domains i could add to it, actually this is set to ["127.0.0.1", "cfx-nui-loadingscreen"].
I’m not sure about what a CSP is but when creating an iframe pointing to player.twitch.tv you need to specify the parent attribute for example https://player.twitch.tv/?sodapoppin&parent=localhost (otherwise you get an error saying your twitch embed is misconfigured) and if you specify it it will add automatically this header Content-Security-Policy: frame-ancestors http://localhost:* https://localhost:* to the iframe GET request, so in fact you can’t embed from player.twitch.tv if you don’t have a CSP header containing frame-ancestors.
Remove the CSP headers from player.twitch.tv then? Not going to patch Chrome to ignore nui root URLs nor make that implementation detail (the UI root URL) something you can explicitly rely on for some site thinking they have to be doing stupid shit like this.
… then again platform code could use the CEF request interception stuff to mangle any CSP headers sites send.
,
Not going to patch Chrome to ignore nui root URLs nor make that implementation detail (the UI root URL) something you can explicitly rely on for some site thinking they have to be doing stupid shit like this.