• Hello,

    I have 3 copies of my site in different subdomains. All except 1 has a problem when I try to go to ‘Customize’. The preview is not showing although the changes I made are being saved. Here’s the error when I checked the console:

    Refused to display 'http://dfp_dev.creativequoin.com/login/?redirect_to=http%3A%2F%2Fdfp_dev.cr…me=noo-umbra-child%2Fnoo-umbra-child&customize_messenger_channel=preview-0' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://dfp_dev.creativequoin.com".
    data:,:1 The source list for Content Security Policy directive 'frame-ancestors' contains an invalid source: 'http://dfp_dev.creativequoin.com'. It will be ignored.

    And here’s what it looks like:

    I deactivated all plugins and cleared my cache. Your help is highy appreciated.

    Thanks,
    Eli

Viewing 3 replies - 1 through 3 (of 3 total)
  • I have the same issue – any solution to this? Started after I upgraded to Hueman 3.3.7. Even on a fresh wordpress with no plugins. Its even worse if you add their addon it throws up a warning and tells you to check your javascripts – you dont get the preview screen and it detects the error and you cant even use the customization menu at all as it wont save the changes. It does still work in Internet explorer – haven’t tried edge – but I use chrome. The author really needs to fix this instead of just telling people to deactivate their plugins which does not resolve anything. I didn’t deactivate my plugins – I installed another wordpress fresh and the latest – same problem. Fortunately – I deactivated their addon and at least I have access to use customization – I just dont get a preview unless I use the old internet explorer.

    The difference in mine though is I am not using and subdomains. Just one domain – and the match except in my error the domain is in all lower case and in the other part of the error it is in mixed caps. While this isnt a fix – I believe this is the issue:

    It means that the http server at cw.na1.hgncloud.com sent some http headers to tell web browsers like Chrome to allow iframe loading of that page (https://cw.na1.hgncloud.com/crossmatch/) only from a page hosted on the same domain (cw.na1.hgncloud.com) :

    Content-Security-Policy: frame-ancestors ‘self’ https://cw.na1.hgncloud.com
    X-Frame-Options: ALLOW-FROM https://cw.na1.hgncloud.com
    You should read that :

    https://developer.mozilla.org/en-US/docs/Web/Security/CSP
    https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

    You are using subdomains – so that may be your issue. But mine is the same domain just mixed caps – maybe the mixed caps are throwing it off. This should be something you can turn off on your server somewhere – unless Hueman is throwing that in somehow. All I know at this point is – everything was fine before the Hueman upgrade – now its not.

    Ok – so I was right at least on my site. My fix was easy. I simply went into the wordpress general settings and changed the domains in both fields to lower case. And its all working now even with the addon. Apparently its case sensitive. Your situation is a bit different though – but the security policy is the issue. Check to be sure both fields in your wordpress settings are exactly the same. In the code you posted they look identical – but check them in the settings to be sure. Otherwise I believe this may be a server misconfiguration. It could be something as simple as the template not understanding subdomains due to the . or the under score in your subdomain. I got mine working – I wish I had more to help you with.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Customize Not Showing’ is closed to new replies.