Allowed iframes whitelist not working - 'x-frame-options: SAMEORIGIN'

boazcstrike · June 30, 2022, 9:24am

The allowed iframes whitelist is not working for us. We’ve added a github plugin with plugin.rb:

Rails.application.config.action_dispatch.default_headers.merge!({'X-Frame-Options' => 'ALLOWALL'})
Rails.application.config.action_dispatch.default_headers.merge!({'Access-Control-Allow-Origin' => '*'})
Rails.application.config.action_dispatch.default_headers.merge!({'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS, DELETE'})
Rails.application.config.action_dispatch.default_headers.merge!({'Access-Control-Allow-Headers' => 'Content-Type, Authorization, X-Requested-With'})

but for some reason, discourse keeps reverting it back to
x-frame-options: SAMEORIGIN

Everything works in http localhost but when deployed in https, nothing is working.

JammyDodger · June 30, 2022, 9:34am

Hello and welcome @boazcstrike

I think there was a similar issue in this recent post Iframe attributes not working - #13 by gilby. I think @falco is looking into it, so he may have some more info?

boazcstrike · June 30, 2022, 9:53am

Hi Jammy!

We finally made it work.

There was a hidden setting called allow_embedding_site_in_an_iframe and we just set it to true inside the rails app:

SiteSetting.allow_embedding_site_in_an_iframe = true

Thank you!

JammyDodger · June 30, 2022, 9:55am

Even better. I’m glad you got it working.

system · July 30, 2022, 9:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Iframe allow attribute not working feature	14	1994	July 5, 2022
WhiteList Iframe from facebook not show support	10	2062	September 1, 2017
Add WhiteListIframe embed of everycircuit.com support	11	2208	September 16, 2019
Embedding Content on a site with 'X-Frame-Options' to 'SAMEORIGIN' support	3	4569	March 25, 2022
Iframes Not Working support	6	1281	March 3, 2022

Allowed iframes whitelist not working - 'x-frame-options: SAMEORIGIN'

Related Topics