Uploaded image for project: 'Planet4'
  1. Planet4
  2. PLANET-5897

Allow embedding Planet4 content into third party websites

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Merged
    • Icon: Should have Should have
    • 2.54.0
    • None
    • Security
    • oberon

      Copied from Github

      We have cases in GP Switzerland where we would like to embed content from our Planet4 website into third party websites. For example:

      • Petitions we run directly on Planet4 into partner websites.
      • Other forms for paid promotions on local news sites.

      At the moment, NGINX is set up to send a x-frame-options: SAMEORIGIN header (related config), which prohibits other pages (on different domains) to embed our content.

      Suggested solution: Set the header from Wordpress instead of NGINX and provide a filter to remove it from certain pages. Alternatively, if we only want to allow embedding for certain trusted 3rd party domains only, there's a way to do that: instead of only removing the x-frame-options, a list of trusted domains to embed our content could be added through a Content-Security-Policy: frame-ancestors <source>; header (more info).

            ltiralon Luca Tiralongo
            nroussos Nikos Roussos
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: