Content Security Policy and iframe integration

claustres · December 5, 2019, 11:37am

We’d like to use Glitch to make some sample code about how to use an app that can be embedded as an iframe in another app. This app uses https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors to select which domains are allowed to integrate it as an iframe. I’ve added https://.glitch.me and https://.glitch.com as allowed domains. The iframe shows up correctly when opening my project url https://coal-donkey.glitch.me. However when using the “show” mode in the editor it cannot be displayed saying it violates the policy, just like it is not served from any of these domains.

Do you know how to fix this ? Thanks.

khalby786 · December 5, 2019, 1:53pm

Hey @claustres,

I know it’s not exactly a solution, but a similar issue had been discussed in the below thread:

It was about using links to external websites outside of the Glitch domain, where the links did not work in Show Next To The Code. It was eventually found that the Glitch projects were sending X-Frame-Options: SAMEORIGIN response header. This option prevents the browser from displaying iframes that are not hosted on the same domain as the parent page.

@cori later responded by saying that it was a limitation of the side-by-side preview.

claustres · December 5, 2019, 2:21pm

Thanks, so it appears to be a limitation for now

Topic		Replies	Views
My Site members were unable to login to my site	8	678	August 30, 2020
Content Security Policy Error with Glitch Site Glitch Help editor	14	1586	May 17, 2022
Links don't work in Show - Next to The Code : get error "Requests to the server have been blocked by an extension." Glitch Help	8	2088	October 21, 2019
Glitch embeds running into adblocker issues Glitch Help	4	447	June 21, 2018
[Resolved] CORS Issue with assets Glitch Help editor	4	151	February 20, 2024

Content Security Policy and iframe integration

Related Topics