3059464 - Content Security Policy (CSP) violation error during Proxy Now

• Proxy Now is showing a Content Security Policy violation error.
• We can't load https://XXX.com because it violates the Content Security Policy directive: frame-ancestors.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

SAP SuccessFactors HXM Suite

When you try proxying as another person in SAP SuccessFactors via the Proxy Now feature, you may see a Content Security Policy violation error box similar to the one depicted below. 

This is a known issue that may occur because of 3rd-party integrations with SuccessFactors. Tenants can have 3rd-party systems integrated with SAP SuccessFactors, and as part of those integrations, logout URLs for these 3rd-party systems would be configured in SuccessFactors provisioning's "Service Provider Settings > Authorized SP Assertion Consumer Service Settings > Logout Urls" column values.  With these logout URLs, if the user proxies as a different person using Proxy Now (or the user logs out of SuccessFactors), then these 3rd-party logout URLs will be invoked in iframes, so that the 3rd-party login sessions can be terminated before the user proxies as someone else (or before the user logs out of SuccessFactors).

However, if the Content Security Policy (CPS) of a 3rd-party logout URL's response specifies a CSP frame-ancestors directive that does not include the domain of SuccessFactors, then the logout response's content would be flagged as violating the frame-ancestors directive, and hence will generate a CSP error. But this CSP error may just be a reported error, rather than an error that the browser would enforce.  The difference is in the CSP-specific HTTP response header for the 3rd-party logout URL:

• If the CSP response header is called "Content-Security-Policy", then any CSP error that occurs will be enforced. 
• If the CSP response header is called "Content-Security-Policy-Report-Only", then the CSP error will only be reported and not enforced.

When 1H 2021 was first released to preview environments, the CSP violation error box would show up even for a CSP error that was only supposed to be reported rather than enforced by the browser.  This has since been resolved in a patch (b2105p4p2), and will also be included in the production release of 1H 2021.  However, there may still be 3rd-party logout URLs that have mandated to browsers to enforce CSP violations.  And if a particular CSP policy has a frame-ancestors directive that prevents SuccessFactors from showing a logout URL in an iframe, then the CSP error will still show up, as mandated by the 3rd-party system. 

Additionally, it has been reported that some releases of Chromium-based browsers (such as Microsoft Edge and version 90 for Chrome) were incorrectly throwing that error message due to a change on the CSP parsing method for directive 'frame-ancestors'. The parsing method was corrected on latest browser versions (e.g. version 91 for Chrome).

Please note that the error will not prevent you from proceeding with the proxy operation. You can simply click the "OK" button in the error box and continue.

Also, please ensure you upgrade your browser to the latest version available to ensure the issue is not being caused by the browser's parsing method for CSP directives. 

If you would like for SAP to further investigate this, please report this issue to SAP Support team (LOD-SF-PLT-PRX). When creating the ticket, please provide the following details:

1. Company id and support access
2. Proxy user and account holder information
3. Screen shot of the Content Security Policy violation error box from SuccessFactors, which will contain a reference to the 3rd-party system's base URL
4. URL of the current SuccessFactors page, which will contain the SuccessFactors domain that was invoking the 3rd-party system
5. HTTP logs recorded while performing the action (KBA 2089446)
    

KBA 2742494 - How to Enables ContentSecurityPolicy (CPS)

Content Security Policy, CPS, frame-ancestors, Content-Security-Policy, Content-Security-Policy-Report-Only , KBA , LOD-SF-PLT-PRX , Proxy , LOD-SF-PLT-SEC , Security Reports , Problem