iis - Set content-security-policy so that other sites could embed a specific pdf file in an iframe

Question

On our IIS website, there is a PDF file that we need to allow other sites to show in an iframe. Currently the content-security-policy in the web.config is this:

<system.webServer>
<httpProtocol>
  <customHeaders>
    <add name="Content-Security-Policy" value="frame-ancestors 'self'" />
  </customHeaders>
</httpProtocol>  
</system.webServer>

As this is a pdf file, I could not use meta tags for that. As I could not find an answer to this anywhere, I tried to compromise and created another web.config in the subdirectory of the pdf file with:

        <add name="Content-Security-Policy" value="frame-ancestors '*'" />

trying thus to allow all the files in that directory to open in an iframe. However, IIS complained that I have multiple definitions of "Content-Security-Policy", so that didn't work.

Any ideas?

Answer 1

I tried to compromise and created another web.config in the subdirectory of the pdf file with:

    <add name="Content-Security-Policy" value="frame-ancestors '*'" />

trying thus to allow all the files in that directory to open in an iframe. However, IIS complained that I have multiple definitions of "Content-Security-Policy", so that didn't work.

It weird because in subfolders you can override root web.config.

Alternatively you can try url-rewrite to conditionally rewrite CSP header to another one as like here.

Note that PDF can be embedded anyway using Google Drive or PDF.js regardless CSP.