I would like to keep “Use Secure Frame Headers” switched on in the setting, but would also need to iframe some pages of the site that connects to the same domain but different sub-domain.
The page needs to be embedded (Webflow websites):
The site that uses iframe to show the above page:
I tried putting this to head but not success:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.domain.com" />
Reference: Content-Security-Policy - HTTP | MDN
Any idea? Thanks a lot.
If the header policy is set and the meta as well, the browser will honor the most restrictive. Thus your problem.
Contacted support. It will need Enterprise Plan to set up whitelist.
Here’s what they said:
“If you have this setting enabled, your site will not be able to be iframed by another site. If you needed to allow or whitelist certain domains, you would need to use custom security headers which are currently not available on self-serve hosting plans. This is an option if you’re on one of our Enterprise Plans. If you think you may be interested in an Enterprise Plan for this feature, please do let us know and I can put you in contact with our Enterprise Team.”