I’m trying to embed specific wordpress (use bedrock and trellis) page in an iframe (in another site with different domain). But dev console shows error:
"Refused to display 'https://site.com' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"."
Headers of the the page are following:
"Content-Security-Policy: frame-ancestors 'self'
I’ve tried to use php header_remove() for that page, and tried to modify headers with wp hooks wp_headers and send_headers, but that gave no result.
Search in wp code shows that headers (CSP and X-Frame-Options) are being sent only for wp Customizer page, and other pages of a site do not have them. Standart wp sites, which are not built on bedrock and trellis, also don’t have CSP and X-Frame-Options headers
I’m a bit puzzled by that situation, maybe somebody know how to solve that and remove security headers from specific page?
can you clarify what is the solution here. I found the file and it’s exactly set like yours but my default Content-Security-Policy for frame frame-ancestors defaults always to ‘self’ after re-provision, no matter what I do.
Same with X-Frame-Options. I see them changed, but then when I ping the headers to check it shows the changed settings and then prints out again / reverts to:
Content-Security-Policy "frame-ancestors ‘self’;
If your iframe is on another site, DON’T uncomment that first line (
X-Frame-Options) but instead add another below:
add_header Content-Security-Policy "frame-ancestors url-1.com url-2.com;"
This is the right approach for modern browsers.
To allow the above file to be loaded, in
trellis/group_vars/production/wordpress_sites.yml file (or whichever remote you want this enabled for) you may need to add
nginx_embed_security: false as shown below, to disable conflicting headers being added:
#... other options ...#
reprovison the affected remotes