I have a public, SSL enabled site - https://server1.com
I have another public, non-SSL enabled site - http://subdomain.server2.com
I have set the Content-Security-Policy for the first site to be:
Content-Security-Policy: frame-ancestors 'self' 'http://*.server2.com
I have a page on server 2 that loads a page on server 1 in an iframe, however I get the error
Refused to display 'https://www.server1.com/some_page' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' http://*.server2.com".
Any ideas as to why this doesn't work? I'm assuming I don't have the write format for my frame-ancestors value, however everything I've found online seems to tell me this is correct.