PROBLEM: When trying to view the website in Cloud IDE or in Campaign Studio preview, it fails with the error:
'This website blocks iframe previews with the x-frame-options: SAMEORIGIN header.'
SOLUTION: We need a way to allow DF sites to be opened in an iframe on specific domains.
BACKGROUD:
This appears that drupal provides this as a default (which is good in general), but it seems that X-Frame-Options is deprecated in favor of using Content-Security-Policy.
There is a core issue/patch that can help, but I think we may want a more reliable solution until core figure it out. This site describes how to make a simple module to remove the x-frame-options header and insert a content-security-policy header. Ideally, this is configurable through the admin UI, or something in settings.php.
https://digitalist.global/talks/remove-x-frame-options-and-set-content-security-policy/
PROBLEM: When trying to view the website in Cloud IDE or in Campaign Studio preview, it fails with the error: 'This website blocks iframe previews with the x-frame-options: SAMEORIGIN header.'
SOLUTION: We need a way to allow DF sites to be opened in an iframe on specific domains.
BACKGROUD: This appears that drupal provides this as a default (which is good in general), but it seems that X-Frame-Options is deprecated in favor of using Content-Security-Policy.
There is a core issue/patch that can help, but I think we may want a more reliable solution until core figure it out. This site describes how to make a simple module to remove the x-frame-options header and insert a content-security-policy header. Ideally, this is configurable through the admin UI, or something in settings.php. https://digitalist.global/talks/remove-x-frame-options-and-set-content-security-policy/
There is also a CSP module that might could be extended (or may offer this option). https://medium.com/myplanet-musings/drupal-8-content-security-policy-header-65d408c355a9