Question Control Panel in iFrame / X-Frame-Options

[Linus]

In Plesk Onyx there wasn't any X-Frame-Options Headers at all, so it was easy to implement the control panel in our customer center as an iframe.

With the new obsidian release there are new Response headers:

X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

If we now create the users session by the plesk API the browser is blocking the request.
After changing the /etc/sw-cp-server/conf.d/plesk.conf and adding the header

X-Frame-Options: allow-from account.company.com

the browser is still blocking the request.

Any ideas to fix this issue?

 

[Raul A.]

Hi,

You need to hide the fastcgi header:fastcgi_hide_header X-Frame-Options;
You can add it in /etc/sw-cp-server/conf.d/{something}_plesk.inc

If you wish to restrict iframe to a specific url use the following in the same file:
add_header Content-Security-Policy "frame-ancestors 'self' https://{URL};"