CSP Frame Ancestors enabled by default

We just enabled the Content-Security-Policy (CSP) frame-ancestors directive by default on Discourse.

By default it allows self and any domains allowed in Admin > Customize > Embedding.

If necessary, a site administrator may disable it using the site setting content security policy frame ancestors, but that is not recommended.

12 Likes