The allowed iframes whitelist is not working for us. We’ve added a github plugin with plugin.rb
:
Rails.application.config.action_dispatch.default_headers.merge!({'X-Frame-Options' => 'ALLOWALL'})
Rails.application.config.action_dispatch.default_headers.merge!({'Access-Control-Allow-Origin' => '*'})
Rails.application.config.action_dispatch.default_headers.merge!({'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS, DELETE'})
Rails.application.config.action_dispatch.default_headers.merge!({'Access-Control-Allow-Headers' => 'Content-Type, Authorization, X-Requested-With'})
but for some reason, discourse keeps reverting it back to
x-frame-options: SAMEORIGIN
Everything works in http localhost but when deployed in https, nothing is working.