Sign in Subscribe
By Tim Gaunt

Sitefinity/Ucommerce admin area - The content is blocked. Contact the site owner to fix the issue.

Loading the Ucommerce admin area in Sitefinity we were hitting ​a rather unfriendly error message "The content is blocked. Contact the site owner to fix the issue.​"

The fix is relatively simple -edit `App_Data/Sitefinity/Configuration/WebSecurityConfig.config​` and add "'self'" to both "frame-src" and "frame-ancestors" so it looks like this:

<?xml version="1.0" encoding="utf-8"?>
<webSecurityConfig
  xmlns:config="urn:telerik:sitefinity:configuration"
  xmlns:type="urn:telerik:sitefinity:configuration:type" config:version="14.3.8000.0">
  <httpSecurityHeaders>
    <responseHeaders>
      <add name="Content-Security-Policy" config:flags="1">
        <directives>
          <remove name="frame-src" />
          <add name="script-src" config:flags="1">
            <values>
              <remove value="https://www.youtube.com" />
              <remove value="https://*.googletagmanager.com" />
              <add value="https://www.youtube.com/iframe_api" />
              <add value="https://dec.azureedge.net/" />
              <add value="munchkin.marketo.net" />
              <add value="use.fontawesome.com" />
              <add value="stackpath.bootstrapcdn.com" />
              <add value="*.livechatinc.com" />
            </values>
          </add>
          <add name="style-src" config:flags="1">
            <values>
              <add value="*.livechatinc.com" />
            </values>
          </add>
          <add name="img-src" config:flags="1">
            <values>
              <remove value="i.ytimg.com" />
              <remove value="https://*.googletagmanager.com" />
              <add value="https://*.insight.sitefinity.com" />
              <add value="https://*.dec.sitefinity.com" />
              <add value="*.awwwards.com" />
              <add value="*.livechatinc.com" />
            </values>
          </add>
          <add name="font-src" config:flags="1">
            <values>
              <add value="*.livechatinc.com" />
            </values>
          </add>
          <add name="frame-src">
            <values>
              <add value="'self'" />
            </values>
          </add>
          <add name="connect-src" config:flags="1">
            <values>
              <remove value="data:" />
              <remove value="*.gstatic.com" />
              <remove value="https://*.googletagmanager.com" />
              <add value="*.mktoresp.com" />
              <add value="*.livechatinc.com" />
            </values>
          </add>
          <add name="media-src" config:flags="1">
            <values>
              <add value="https://cdn.livechatinc.com/widget/static/media/new_message.a37211a6.ogg" />
            </values>
          </add>
          <add name="child-src" config:flags="1">
            <values>
              <remove value="https://www.youtube-nocookie.com" />
              <add value="*.livechatinc.com" />
            </values>
          </add>
          <add name="frame-ancestors">
            <values>
              <add value="'self'" />
            </values>
          </add>
        </directives>
      </add>
      <add disabled="True" name="Cross-Origin-Embedder-Policy" config:flags="1" />
      <add disabled="True" name="Cross-Origin-Opener-Policy" config:flags="1" />
      <add disabled="True" name="Cross-Origin-Resource-Policy" config:flags="1" />
      <add disabled="True" name="Permissions-Policy" config:flags="1" />
    </responseHeaders>
  </httpSecurityHeaders>
  <csrfProtection enable="False" />
</webSecurityConfig>

Subscribe to TSD

Don’t miss out on the latest posts. Sign up now to get access to the library of members-only posts.
jamie@example.com
Subscribe