And invalid response header is being set from embed controller

https://github.com/discourse/discourse/blob/53ab3dda5d5e99507096397775f3275dd63a4304/app/controllers/embed_controller.rb#L27

MDN doesn’t specify “ALLOWALL” as a possible value for the X-Frame-Options header. On Firefox, when loading any page with an embed, this can be seen in the console:

Any way to not send that header and specify the frame-ancestors directive for the Content-Security-Policy header? From the code it doesn’t seem there is a way to configure this.

I saw that error while working on the embed in our new blog. The easy thing to do is to just remove this header right?

2 Likes

I think so, yes. I am assuming you meant removing it from Discourse (vs. hiding it using some Nginx configuration). The header itself is considered obsolete now anyway. There are other occurrences of the same header in that file.

Note: The Content-Security-Policy HTTP header has a frame-ancestors directive which obsoletes this header for supporting browsers.

This is fixed now:

1 Like

This topic was automatically closed after 4 days. New replies are no longer allowed.