Use Secure Frame Headers toggle seems to have no effect

We are currently using webflow as a tool to allow the rapid development of simple web resources by non developers. Rather than requiring dns configuration for every tool we are using the CMS hosting level and using custom internal proxying to serve resources on our own domain.

I understand that iframe usege is blocked on free hosting, however, since our account is being run at the paid level I would assume that the “Use Secure Frame Headers” being disabled would allow for embedding of the resource.

However that does not seem to be the case.

Requesting the resource has a header of

Content-Security-Policy frame-ancestors 'self' https://* http://* http://*

Clearly this can be extracted (or replaced) with our internal tooling, but I am curious if that toggle is not meant to do anything?

Thank you,


Did you ever figure this one out?

Same here. Would love to see a response to this.