Topic: Allow specific external site to load forum in iframe

[spiros]

How can I allow a specific external site to load the forum in an iframe?

[spiros]

I.e. add in index.php the second line?

Code: [Select]

header('X-Frame-Options: SAMEORIGIN');
header('X-Frame-Options: allow-from http://otherdomain.org/');


[Arantor]

The second line replaces the first (a header can only exist once) but not all browsers respect that setting, or didn’t last I checked.

[spiros]

It did not work at all. Apparently "X-Frame-Options" has been replaced by "Content-Security-Policy":

https://content-security-policy.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

which allows multiple values. I am trying something like:

Code: [Select]

header('Content-Security-Policy "frame-ancestors *.magicsearch.org/ 'self'");
Or

Code: [Select]

header('Content-Security-Policy: frame-ancestors *.magicsearch.org/ *.translatum.gr/);
But they both result in HTTP ERROR 500.

[Arantor]

You have mismatched quotes, but typing quotes on iPad is hard right now...

[Illori]

Code: [Select]

header('Content-Security-Policy "frame-ancestors *.magicsearch.org/" self');I believe the above code has the corrected quotes.

[spiros]

I tried the one below, and apparently it works in third site and self site (translatum). The only strange issue is that it does not load the iframe on third site using Chrome proper (and checking source it reads "your browser does not support iframes"), but it loads it in an incognito window.

Code: [Select]

header('Content-Security-Policy: frame-ancestors http://magicsearch.org https://www.translatum.gr');
Edit: found the culprit, it was the Privacy Badger extension