Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Site can't be placed in an iframe #226

Open
rlnorthcutt opened this issue Aug 18, 2020 · 0 comments
Open

Site can't be placed in an iframe #226

rlnorthcutt opened this issue Aug 18, 2020 · 0 comments
Assignees

Comments

@rlnorthcutt
Copy link
Contributor

PROBLEM: When trying to view the website in Cloud IDE or in Campaign Studio preview, it fails with the error:
'This website blocks iframe previews with the x-frame-options: SAMEORIGIN header.'

SOLUTION: We need a way to allow DF sites to be opened in an iframe on specific domains.

BACKGROUD:
This appears that drupal provides this as a default (which is good in general), but it seems that X-Frame-Options is deprecated in favor of using Content-Security-Policy.

There is a core issue/patch that can help, but I think we may want a more reliable solution until core figure it out. This site describes how to make a simple module to remove the x-frame-options header and insert a content-security-policy header. Ideally, this is configurable through the admin UI, or something in settings.php.
https://digitalist.global/talks/remove-x-frame-options-and-set-content-security-policy/

There is also a CSP module that might could be extended (or may offer this option).
https://medium.com/myplanet-musings/drupal-8-content-security-policy-header-65d408c355a9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants