Content Security Policy and iframe integration

We’d like to use Glitch to make some sample code about how to use an app that can be embedded as an iframe in another app. This app uses to select which domains are allowed to integrate it as an iframe. I’ve added and as allowed domains. The iframe shows up correctly when opening my project url However when using the “show” mode in the editor it cannot be displayed saying it violates the policy, just like it is not served from any of these domains.

Do you know how to fix this ? Thanks.

Hey @claustres,

I know it’s not exactly a solution, but a similar issue had been discussed in the below thread:

It was about using links to external websites outside of the Glitch domain, where the links did not work in Show Next To The Code. It was eventually found that the Glitch projects were sending X-Frame-Options: SAMEORIGIN response header. This option prevents the browser from displaying iframes that are not hosted on the same domain as the parent page.

@cori later responded by saying that it was a limitation of the side-by-side preview.

Thanks, so it appears to be a limitation for now :sleepy: