• Dear Pleskians! The Plesk Forum will be undergoing scheduled maintenance on Monday, 7th of July, at 9:00 AM UTC. The expected maintenance window is 2 hours.
    Thank you in advance for your patience and understanding on the matter.

Question Control Panel in iFrame / X-Frame-Options

Linus

Linus

New Pleskian
In Plesk Onyx there wasn't any X-Frame-Options Headers at all, so it was easy to implement the control panel in our customer center as an iframe.

With the new obsidian release there are new Response headers:
Code: 
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

If we now create the users session by the plesk API the browser is blocking the request.
After changing the /etc/sw-cp-server/conf.d/plesk.conf and adding the header
Code: 
X-Frame-Options: allow-from account.company.com
the browser is still blocking the request.

Any ideas to fix this issue?
 
Hi,

You need to hide the fastcgi header:fastcgi_hide_header X-Frame-Options;
You can add it in /etc/sw-cp-server/conf.d/{something}_plesk.inc

If you wish to restrict iframe to a specific url use the following in the same file:
add_header Content-Security-Policy "frame-ancestors 'self' https://{URL};"
 
You must log in or register to reply here.

Similar threads

Y
Question Issue Implementing Dynamic CORS Headers in Plesk’s Additional NGINX Directives
Replies
1
Views
913
yfain
Y
A
Question How to use Clear-Site-Data header rule to clear browser cache
Replies
2
Views
4K
AntoineW
A
D
Input How to run Magento 2 on Plesk Obsidian 18 without Docker
Replies
7
Views
6K
grizlyadams
G
N
Question NGINX & Wordpress(Woocommerce) Setup
Replies
0
Views
2K
nikosvl97
N
T
Issue Host settings and htaccess behavior in nginx proxy mode
Replies
3
Views
3K
Peter Debik
P
Back
Top