Hi!
I’m trying to embed specific wordpress (use bedrock and trellis) page in an iframe (in another site with different domain). But dev console shows error: "Refused to display 'https://site.com' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"."
Headers of the the page are following: "X-Frame-Options: SAMEORIGIN" "Content-Security-Policy: frame-ancestors 'self'
I’ve tried to use php header_remove() for that page, and tried to modify headers with wp hooks wp_headers and send_headers, but that gave no result.
Search in wp code shows that headers (CSP and X-Frame-Options) are being sent only for wp Customizer page, and other pages of a site do not have them. Standart wp sites, which are not built on bedrock and trellis, also don’t have CSP and X-Frame-Options headers
I’m a bit puzzled by that situation, maybe somebody know how to solve that and remove security headers from specific page?
can you clarify what is the solution here. I found the file and it’s exactly set like yours but my default Content-Security-Policy for frame frame-ancestors defaults always to ‘self’ after re-provision, no matter what I do.
Same with X-Frame-Options. I see them changed, but then when I ping the headers to check it shows the changed settings and then prints out again / reverts to:
To allow the above file to be loaded, in trellis/group_vars/all/security.yml, add:
h5bp_extra_security_enabled: true
step 3
Then, in trellis/group_vars/production/wordpress_sites.yml file (or whichever remote you want this enabled for) you may need to add nginx_embed_security: false as shown below, to disable conflicting headers being added:
wordpress_sites:
mydomain.com:
#... other options ...#
nginx_embed_security: false