# Content Security Headers and iframe

**URL:** https://discourse.roots.io/t/content-security-headers-and-iframe/13320
**Category:** trellis
**Created:** 2018-08-12T10:16:45Z
**Posts:** 4

## Post 1 by @Ivan_B — 2018-08-12T10:16:45Z

Hi!  
I’m trying to embed specific wordpress (use bedrock and trellis) page in an iframe (in another site with different domain). But dev console shows error:  
`"Refused to display 'https://site.com' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"`."

Headers of the the page are following:  
`"X-Frame-Options: SAMEORIGIN"`  
`"Content-Security-Policy: frame-ancestors 'self'`

I’ve tried to use php header\_remove() for that page, and tried to modify headers with wp hooks wp\_headers and send\_headers, but that gave no result.  
Search in wp code shows that headers (CSP and X-Frame-Options) are being sent only for wp Customizer page, and other pages of a site do not have them. Standart wp sites, which are not built on bedrock and trellis, also don’t have CSP and X-Frame-Options headers

I’m a bit puzzled by that situation, maybe somebody know how to solve that and remove security headers from specific page?

Thank you!

---

## Post 2 by @ben — 2018-08-13T16:46:13Z

> <https://github.com/roots/trellis/blob/e3315fef63f290757e5ab249c96c01dadb84a8c2/roles/nginx/templates/h5bp/directive-only/extra-security.conf>

---

## Post 3 by @Boz_Bundalo — 2019-08-15T22:56:47Z

Hi Ben,

can you clarify what is the solution here. I found the file and it’s exactly set like yours but my default Content-Security-Policy for frame frame-ancestors defaults always to ‘self’ after re-provision, no matter what I do.

Same with X-Frame-Options. I see them changed, but then when I ping the headers to check it shows the changed settings and then prints out again / reverts to:

X-Frame-Options SAMEORIGIN  
Content-Security-Policy "frame-ancestors ‘self’;

---

## Post 4 by @robrecord — 2022-03-30T10:21:52Z

## step 1

In `trellis/roles/nginx/templates/h5bp/directive-only/extra-security.conf`:

If your iframe is on another site, DON’T uncomment that first line (`X-Frame-Options`) but instead add another below:

```
add_header Content-Security-Policy "frame-ancestors url-1.com url-2.com;"
```

This is the right approach for modern browsers.

## step 2

To allow the above file to be loaded, in `trellis/group_vars/all/security.yml`, add:

```
h5bp_extra_security_enabled: true
```

## step 3

Then, in `trellis/group_vars/production/wordpress_sites.yml` file (or whichever remote you want this enabled for) you may need to add `nginx_embed_security: false` as shown below, to disable conflicting headers being added:

```
wordpress_sites:
  mydomain.com:
    #... other options ...#
    nginx_embed_security: false
```

## step 4

reprovison the affected remotes