CSP frame-src blocks tel: links

Issue #16189457 • Assigned to wwatri

Details

Author
Stefan M.
Created
Mar 2, 2018
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
41.16299
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

Using a CSP policy such as

frame-src 'self' data: https: ;upgrade-insecure-requests ;block-all-mixed-content

will break links using the “tel” protocol, such as <a href="tel://1234567">Call us</a>.

These links are loaded as an iframe before the native Windows list of apps is shown.

Workaround for now is to add tel: to the frame-src attribute.

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “wwatri”

    You need to sign in to your Microsoft account to add a comment.

    Sign in