CSP Frame Ancestors enabled by default

We just enabled the Content-Security-Policy (CSP) frame-ancestors directive by default on Discourse.

By default it allows self and any domains allowed in Admin > Customize > Embedding.

If necessary, a site administrator may disable it using the site setting content security policy frame ancestors, but that is not recommended.

15 Likes

Can this be configured to allow an iframe on a site running at localhost?

It may work by adding that in the

section. But since it’s for local development you can also disable CSP on your dev browser, which would get the same result.

1 Like

I tried adding localhost, both with and without the port, but no dice… I’ll look into disabling it in the browser. Thanks!