Closed stduerre closed 3 years ago
GP Netherlands would also really like this! Our use case is for use in cross-domain cookies. We have two domains in use (greenpeace.nl & greenpeace.org/nl). By embedding an (lightweight) iframe of the domain A into domain B, we are able to exchange the cookies consent. Currently this only works one-way, if we would be able to embed Planet4 into our other domain, we would have to show less cookie notices, reuslting in a better UX.
Having an option to filter the x-frame option and setting a domain in the CSP header, would be awesome!
We have cases in GP Switzerland where we would like to embed content from our Planet4 website into third party websites. For example:
At the moment, NGINX is set up to send a
x-frame-options: SAMEORIGIN
header (related config), which prohibits other pages (on different domains) to embed our content.Suggested solution: Set the header from Wordpress instead of NGINX and provide a filter to remove it from certain pages. Alternatively, if we only want to allow embedding for certain trusted 3rd party domains only, there's a way to do that: instead of only removing the
x-frame-options
, a list of trusted domains to embed our content could be added through aContent-Security-Policy: frame-ancestors <source>;
header (more info).