Content Security Headers and iframe

I’m trying to embed specific wordpress (use bedrock and trellis) page in an iframe (in another site with different domain). But dev console shows error:
"Refused to display '' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"."

Headers of the the page are following:
"X-Frame-Options: SAMEORIGIN"
"Content-Security-Policy: frame-ancestors 'self'

I’ve tried to use php header_remove() for that page, and tried to modify headers with wp hooks wp_headers and send_headers, but that gave no result.
Search in wp code shows that headers (CSP and X-Frame-Options) are being sent only for wp Customizer page, and other pages of a site do not have them. Standart wp sites, which are not built on bedrock and trellis, also don’t have CSP and X-Frame-Options headers

I’m a bit puzzled by that situation, maybe somebody know how to solve that and remove security headers from specific page?

Thank you!

1 Like

Hi Ben,

can you clarify what is the solution here. I found the file and it’s exactly set like yours but my default Content-Security-Policy for frame frame-ancestors defaults always to ‘self’ after re-provision, no matter what I do.

Same with X-Frame-Options. I see them changed, but then when I ping the headers to check it shows the changed settings and then prints out again / reverts to:

X-Frame-Options SAMEORIGIN
Content-Security-Policy "frame-ancestors ‘self’;

step 1

In trellis/roles/nginx/templates/h5bp/directive-only/extra-security.conf:

If your iframe is on another site, DON’T uncomment that first line (X-Frame-Options) but instead add another below:

add_header Content-Security-Policy "frame-ancestors;"

This is the right approach for modern browsers.

step 2

To allow the above file to be loaded, in trellis/group_vars/all/security.yml, add:

h5bp_extra_security_enabled: true

step 3

Then, in trellis/group_vars/production/wordpress_sites.yml file (or whichever remote you want this enabled for) you may need to add nginx_embed_security: false as shown below, to disable conflicting headers being added:

    #... other options ...#
    nginx_embed_security: false

step 4

reprovison the affected remotes

1 Like