Content-Security-Policy Headers are there and showing the correct settings, but still getting a refused connection

So I’m putting a plugin together that will allow me to connect multiple client sites with an online service.

I can get the service vendors snippet to load, but once you interact with it, that’s where things get tricky and it refuses to load an (I guess) iframe… …it’s pretty poorly documented.

Refused to load https://www.service-domain.com/ because it does not appear in the frame-ancestors directive of the Content Security Policy.

That’s the console log error I was receiving.

So I jumped back into my plugin and added the following:

function bbti_send_headers() {     header( "Content-Security-Policy: frame-ancestors https://www.service-domain.com/; frame-src https://www.service-domain.com/;" ); } add_action( 'send_headers', 'bbti_send_headers' ); 

Now, when I reload the page I’m still getting the same error Refused to load https://www.service-domain.com/... etc...

However, if I look at the network panel and check the page’s headers this is what I get:

HTTP/1.1 200 OK Content-Encoding: gzip Content-Security-Policy: frame-ancestors https://www.service-domain.com/; frame-src https://www.service-domain.com/; 

So the header is there but still getting the same error from the script.

Anyone know what it is I missed?