Open blattersturm opened 3 years ago
This would be nice to see. I am currently hitting this.
Okay I was able to solve this today.
I had an old fx_version
set in my fxmanifest.lua
when I set it fx_version 'cerulean'
the url changed to https://cfx-nui-<resource_name>
from nui://<resource_name>
this allowed CSP headers to properly work.
In DUI
frames, I suspect, however?
Any updates?
https://forum.cfx.re/t/embeds-of-twitch-tv-not-working/4748703
Since NUI is loading everything in an iframe, and we don't want to explicitly expose implementation details for this state, people can't load sites that use 'clickjacking protection' in NUI.
Since NUI loads all servers' state in an isolated context, and users would be extremely silly+unlikely to grant any privileged cookies/etc. to a server's NUI page, it may be workable to remove/patch these headers in a request filter.