I would like to keep “Use Secure Frame Headers” switched on in the setting, but would also need to iframe some pages of the site that connects to the same domain but different sub-domain.
For example:
The page needs to be embedded (Webflow websites): app.domain.com/page/policy
The site that uses iframe to show the above page: lp.domain.com/legal
I tried putting this to head but not success: <meta http-equiv="Content-Security-Policy" content="default-src 'self' *.domain.com" />
Contacted support. It will need Enterprise Plan to set up whitelist.
Here’s what they said:
“If you have this setting enabled, your site will not be able to be iframed by another site. If you needed to allow or whitelist certain domains, you would need to use custom security headers which are currently not available on self-serve hosting plans. This is an option if you’re on one of our Enterprise Plans. If you think you may be interested in an Enterprise Plan for this feature, please do let us know and I can put you in contact with our Enterprise Team.”