Falco
(Falco)
1
We just enabled the Content-Security-Policy (CSP) frame-ancestors directive by default on Discourse.
By default it allows self
and any domains allowed in Admin > Customize > Embedding.
If necessary, a site administrator may disable it using the site setting content security policy frame ancestors
, but that is not recommended.
15 Likes
alxndr
(Alexander)
2
Can this be configured to allow an iframe on a site running at localhost
?
Falco
(Falco)
3
It may work by adding that in the
section. But since it’s for local development you can also disable CSP on your dev browser, which would get the same result.
1 Like
alxndr
(Alexander)
4
I tried adding localhost
, both with and without the port, but no dice… I’ll look into disabling it in the browser. Thanks!