-
Task
-
Resolution: Merged
-
Should have
-
None
-
Security
-
oberon
We have cases in GP Switzerland where we would like to embed content from our Planet4 website into third party websites. For example:
- Petitions we run directly on Planet4 into partner websites.
- Other forms for paid promotions on local news sites.
At the moment, NGINX is set up to send a x-frame-options: SAMEORIGIN header (related config), which prohibits other pages (on different domains) to embed our content.
Suggested solution: Set the header from Wordpress instead of NGINX and provide a filter to remove it from certain pages. Alternatively, if we only want to allow embedding for certain trusted 3rd party domains only, there's a way to do that: instead of only removing the x-frame-options, a list of trusted domains to embed our content could be added through a Content-Security-Policy: frame-ancestors <source>; header (more info).