Roots Discourse

Trellis Allow subdomains for Content Security Policy

I am trying to set up a site that uses a plugin to make some pages on my site into a mobile app. The site is giving me an error “a frame because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘self’”.” I know that having the frame-ancestors set to self does not allow subdomains.

{% extends 'roles/nginx/templates/nginx.conf.j2' %}

  {% block server_basic -%}
  {{ super() }}
  add_header Content-Security-Policy "default-src 'none'; script-src https://{{ site_hosts_canonical | join(' https://') }};
  {% endblock %}

I have this set in my nginx-includes directory for my subdomain config js file and the server configuration settings don’t get set.

In recent Trellis, it should be already sufficient to set nginx_embed_security: false for a particular site in wordpress_sites.yml.