I’m trying to embed specific wordpress (use bedrock and trellis) page in an iframe (in another site with different domain). But dev console shows error:
"Refused to display 'https://site.com' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"."
Headers of the the page are following:
"Content-Security-Policy: frame-ancestors 'self'
I’ve tried to use php header_remove() for that page, and tried to modify headers with wp hooks wp_headers and send_headers, but that gave no result.
Search in wp code shows that headers (CSP and X-Frame-Options) are being sent only for wp Customizer page, and other pages of a site do not have them. Standart wp sites, which are not built on bedrock and trellis, also don’t have CSP and X-Frame-Options headers
I’m a bit puzzled by that situation, maybe somebody know how to solve that and remove security headers from specific page?