0121 31 45 374
Qoute Icon

Sitefinity/Ucommerce admin area - The content is blocked. Contact the site owner to fix the issue.

Tim

Loading the Ucommerce admin area in Sitefinity we were hitting ​a rather unfriendly error message "The content is blocked. Contact the site owner to fix the issue.​"

The fix is relatively simple -edit `App_Data/Sitefinity/Configuration/WebSecurityConfig.config​` and add "'self'" to both "frame-src" and "frame-ancestors" so it looks like this:

<?xml version="1.0" encoding="utf-8"?>
<webSecurityConfig xmlns:config="urn:telerik:sitefinity:configuration" xmlns:type="urn:telerik:sitefinity:configuration:type" config:version="14.3.8000.0">
<httpSecurityHeaders>
<responseHeaders>
<add name="Content-Security-Policy" config:flags="1">
<directives>
<remove name="frame-src" />
<add name="script-src" config:flags="1">
<values>
<remove value="https://www.youtube.com" />
<remove value="https://*.googletagmanager.com" />
<add value="https://www.youtube.com/iframe_api" />
<add value="https://dec.azureedge.net/" />
<add value="munchkin.marketo.net" />
<add value="use.fontawesome.com" />
<add value="stackpath.bootstrapcdn.com" />
<add value="*.livechatinc.com" />
</values>
</add>
<add name="style-src" config:flags="1">
<values>
<add value="*.livechatinc.com" />
</values>
</add>
<add name="img-src" config:flags="1">
<values>
<remove value="i.ytimg.com" />
<remove value="https://*.googletagmanager.com" />
<add value="https://*.insight.sitefinity.com" />
<add value="https://*.dec.sitefinity.com" />
<add value="*.awwwards.com" />
<add value="*.livechatinc.com" />
</values>
</add>
<add name="font-src" config:flags="1">
<values>
<add value="*.livechatinc.com" />
</values>
</add>
<add name="frame-src">
<values>
<add value="'self'" />
</values>
</add>
<add name="connect-src" config:flags="1">
<values>
<remove value="data:" />
<remove value="*.gstatic.com" />
<remove value="https://*.googletagmanager.com" />
<add value="*.mktoresp.com" />
<add value="*.livechatinc.com" />
</values>
</add>
<add name="media-src" config:flags="1">
<values>
<add value="https://cdn.livechatinc.com/widget/static/media/new_message.a37211a6.ogg" />
</values>
</add>
<add name="child-src" config:flags="1">
<values>
<remove value="https://www.youtube-nocookie.com" />
<add value="*.livechatinc.com" />
</values>
</add>
<add name="frame-ancestors">
<values>
<add value="'self'" />
</values>
</add>
</directives>
</add>
<add disabled="True" name="Cross-Origin-Embedder-Policy" config:flags="1" />
<add disabled="True" name="Cross-Origin-Opener-Policy" config:flags="1" />
<add disabled="True" name="Cross-Origin-Resource-Policy" config:flags="1" />
<add disabled="True" name="Permissions-Policy" config:flags="1" />
</responseHeaders>
</httpSecurityHeaders>
<csrfProtection enable="False" />
</webSecurityConfig>

Liked this post? Got a suggestion? Leave a comment