Closed edalzell closed 2 years ago
It looks to me like your site 2 is explicitly not allowing embedding or remote loading of content for security, which is good practice. And so to get live preview working you need to explicitly allow it. I wouldnt see this as a Statamic bug.
I'm not sure that this needs to be in the core. You can create a middleware that adds the header you mentioned. I think you might need to use frame-ancestors instead though.
Content-Security-Policy "frame-ancestors https://site1.com/ https://site2.com/;"
It looks to me like your site 2 is explicitly not allowing embedding or remote loading of content for security, which is good practice. And so to get live preview working you need to explicitly allow it. I wouldnt see this as a Statamic bug.
The only argument I have against is that folks w/ multi-sites on different domains will think that Live Preview is broken, which is a poor experience.
@jasonvarga We just ran into this issue on one of our client's sites, and I agree this should be in core. Having different domains in a multi-site is a core feature, so why wouldn't including the right CSP headers automatically be?
Can this be re-opened?
Bug description
Trying to Live Preview site 2 content from site 1 CP, shows a blank screen with this error:
Not sure if this is an actual bug. To fix, we'd have to update the DataResponse to add a header when
live-preview
is in the query string:How to reproduce
Steps:
Logs
No response
Environment
Installation
Fresh statamic/statamic site via CLI
Antlers Parser
runtime (new)
Additional details
No response