[CMS-12504] Deal with X-Frame-Options for cross-origin websites in the SPA SDK demos - Issues

XML

Word

Printable

Details

Type: Task
Status: Closed
Priority: Normal
Resolution: Available for testing
Affects Version/s: None
Fix Version/s: 14.2.0, 100.2.0
Component/s: None
Labels:
None

Story Points:
1
Epic Link:
SPA Support w/o Reverse Proxy
Processed by team:
Quasar
Sprint:
Puma Sprint 230, Puma Sprint 231

Description

Problem:
At the moment, HST returns `X-Frame-Options: SAMEORIGIN` that makes it impossible to load an external website inside the channel manager iframe (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).

Solution:
When the SPA mode is enabled, we can return `Content-Security-Policy: frame-ancestors 'self' https://www.example.com` instead of `X-Frame-Options` (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors).

Attachments

Activity

People

Assignee:: Nikola Trajkovski

Reporter:: Mikhail Dokolin (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Jan/20 3:51 PM

Updated:: 30/Mar/20 10:48 AM

Resolved:: 26/Mar/20 9:21 AM