Roots Discourse

Content Security Headers and iframe

I’m trying to embed specific wordpress (use bedrock and trellis) page in an iframe (in another site with different domain). But dev console shows error:
"Refused to display '' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"."

Headers of the the page are following:
"X-Frame-Options: SAMEORIGIN"
"Content-Security-Policy: frame-ancestors 'self'

I’ve tried to use php header_remove() for that page, and tried to modify headers with wp hooks wp_headers and send_headers, but that gave no result.
Search in wp code shows that headers (CSP and X-Frame-Options) are being sent only for wp Customizer page, and other pages of a site do not have them. Standart wp sites, which are not built on bedrock and trellis, also don’t have CSP and X-Frame-Options headers

I’m a bit puzzled by that situation, maybe somebody know how to solve that and remove security headers from specific page?

Thank you!

1 Like

Hi Ben,

can you clarify what is the solution here. I found the file and it’s exactly set like yours but my default Content-Security-Policy for frame frame-ancestors defaults always to ‘self’ after re-provision, no matter what I do.

Same with X-Frame-Options. I see them changed, but then when I ping the headers to check it shows the changed settings and then prints out again / reverts to:

X-Frame-Options SAMEORIGIN
Content-Security-Policy "frame-ancestors ‘self’;