Rudd-O
commented
1 year ago https://github.com/plone/plone.protect/blob/8b8b36a570354e543b8a3fbe3696dd9ac69c4ad3/README.rst#clickjacking-protection I hope this answers your question.
Open erral opened 1 year ago
Rudd-O
commented
1 year ago https://github.com/plone/plone.protect/blob/8b8b36a570354e543b8a3fbe3696dd9ac69c4ad3/README.rst#clickjacking-protection I hope this answers your question.
yurj
commented
1 year ago In Apache I do: Header set Content-Security-Policy "frame-ancestors 'self' *.domainsthatcanuseiframe;"
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
I think you can just use * and set it in the view you want to be possible to embed in an iframe.
erral
commented
1 year ago https://github.com/plone/plone.protect/blob/8b8b36a570354e543b8a3fbe3696dd9ac69c4ad3/README.rst#clickjacking-protection I hope this answers your question.
No, this doesn't answer my question.
Because the actual code sets always or never the header, it is not possible to override it to remove it from a given view.
Rudd-O
commented
1 year ago @erral oh that's bad. Let's keep this open for the fix.
Rudd-O
commented
1 year ago I think it's dumb to use env vars for this, as one may want to govern the behavior per site or even per page.
How can I completely disable (for the whole site or a given view) the X-Frame-Options header added by this product?
Specifically I need to be able to embed in an iframe a page rendered by Plone. The current best practice seems to remove the X-Frame-Options header (apart from using CSP), but the current environment-variable approach doesn't allow to remove it, I can only set it to empty, or None, which does not work according to MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
I have added a workaround in nginx adding the following sentence:
But it would be desirable to be able to remove it in a more flexible way for the whole site or view-per-view.