Allowed iframes whitelist not working - 'x-frame-options: SAMEORIGIN'

The allowed iframes whitelist is not working for us. We’ve added a github plugin with plugin.rb:

Rails.application.config.action_dispatch.default_headers.merge!({'X-Frame-Options' => 'ALLOWALL'})
Rails.application.config.action_dispatch.default_headers.merge!({'Access-Control-Allow-Origin' => '*'})
Rails.application.config.action_dispatch.default_headers.merge!({'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS, DELETE'})
Rails.application.config.action_dispatch.default_headers.merge!({'Access-Control-Allow-Headers' => 'Content-Type, Authorization, X-Requested-With'})

but for some reason, discourse keeps reverting it back to
x-frame-options: SAMEORIGIN

Everything works in http localhost but when deployed in https, nothing is working.

Hello and welcome @boazcstrike :slight_smile:

I think there was a similar issue in this recent post Iframe attributes not working - #13 by gilby. I think @falco is looking into it, so he may have some more info?

Hi Jammy!

We finally made it work.

There was a hidden setting called allow_embedding_site_in_an_iframe and we just set it to true inside the rails app:

SiteSetting.allow_embedding_site_in_an_iframe = true

Thank you! :smiley:


Even better. :slight_smile: I’m glad you got it working. :+1:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.