From 2ae121ab8a2b73ef1c8b71d0119caa90afd582d3 Mon Sep 17 00:00:00 2001
From: Zinan <97767306+ZinanZhang@users.noreply.github.com>
Date: Wed, 24 Apr 2024 15:28:37 -0700
Subject: [PATCH 1/2] Update content-security-policy.md

---
 power-platform/admin/content-security-policy.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/power-platform/admin/content-security-policy.md b/power-platform/admin/content-security-policy.md
index 57f93f6c3..d18e4cf24 100644
--- a/power-platform/admin/content-security-policy.md
+++ b/power-platform/admin/content-security-policy.md
@@ -25,9 +25,9 @@ Each component of the CSP header value controls the assets that can be downloade
 | [worker-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src) | `'self' blob:` | No |
 | [style-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src) | `* 'unsafe-inline'` | No |
 | [font-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/font-src) | `* data:` | No |
-| [frame-ancestors](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) | `'self'` | Yes |
+| [frame-ancestors](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) | `'self' https://*.powerapps.com` | Yes |
 
-This results in a default CSP of `script-src * 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:; style-src * 'unsafe-inline'; font-src * data:; frame-ancestors 'self';`. In our roadmap, we have the ability to modify currently noncustomizable headers.
+This results in a default CSP of `script-src * 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:; style-src * 'unsafe-inline'; font-src * data:; frame-ancestors 'self' https://*.powerapps.com;`. In our roadmap, we have the ability to modify currently noncustomizable headers.
 
 ### Prerequisites
 - For Dynamics 365 Customer Engagement apps and other model-driven apps, CSP is only available in online environments and in organizations with Dynamics 365 Customer Engagement (on-premises), version 9.1 or later version.
@@ -61,7 +61,7 @@ The final section is "Configure directives". This section allows you to control
 
 ![Configure CSP directives](media/csp-directives.png "Configure CSP directives")
 
-Leaving the default directive toggled on uses the default value specified in the table shown earlier in this article. Turning off the toggle allows admins to specify custom values for the directive and append them to the default value. The example below sets custom values for `frame-ancestors`. The directive would be set to `frame-ancestors: 'self' https://www.foo.com https://www.bar.com` in this example, meaning the app could be hosted in the same origin, `https://www.foo.com` and `https://www.bar.com`, but not in other origins. Use the Add button to add entries to the list and the delete icon to remove them.
+Leaving the default directive toggled on uses the default value specified in the table shown earlier in this article. Turning off the toggle allows admins to specify custom values for the directive and append them to the default value. The example below sets custom values for `frame-ancestors`. The directive would be set to `frame-ancestors: 'self' https://*.powerapps.com https://www.foo.com https://www.bar.com` in this example, meaning the app could be hosted in the same origin, `https://*.powerapps.com`, `https://www.foo.com` and `https://www.bar.com`, but not in other origins. Use the Add button to add entries to the list and the delete icon to remove them.
 
 ![Setting custom CSP directives](media/csp-default-directive.png "Setting custom CSP directives")
 
@@ -110,7 +110,7 @@ In the above example:
   - `frame-ancestors` is customized to `https://www.baz.com`
 
 The effective CSP values would be:
-- Model-driven apps: `Content-Security-Policy: script-src * 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:; style-src * 'unsafe-inline'; font-src * data:; frame-ancestors 'self'; report-uri https://www.mysite.com/myreportingendpoint;`
+- Model-driven apps: `Content-Security-Policy: script-src * 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:; style-src * 'unsafe-inline'; font-src * data:; frame-ancestors 'self' https://*.powerapps.com; report-uri https://www.mysite.com/myreportingendpoint;`
 - Canvas apps: `Content-Security-Policy-Report-Only: script-src * 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:; style-src * 'unsafe-inline'; font-src * data:; frame-ancestors https://www.baz.com; report-uri https://www.mysite.com/myreportingendpoint;`
 
 ## Organization settings

From 6b2655e9108d69183ea917ef015fe67f13e74040 Mon Sep 17 00:00:00 2001
From: Sally Erickson <sericks007@users.noreply.github.com>
Date: Thu, 25 Apr 2024 06:34:48 -0500
Subject: [PATCH 2/2] Update content-security-policy.md

---
 power-platform/admin/content-security-policy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/power-platform/admin/content-security-policy.md b/power-platform/admin/content-security-policy.md
index d18e4cf24..203989cc7 100644
--- a/power-platform/admin/content-security-policy.md
+++ b/power-platform/admin/content-security-policy.md
@@ -1,7 +1,7 @@
 ---
 title: "Content security policy"
 description: "Use content security policy to prevent clickjacking in Power Apps."  
-ms.date: 03/21/2024
+ms.date: 04/25/2024
 ms.topic: conceptual
 author: JesseParsons
 ms.subservice: admin