• Inviting everyone who uses WordPress management tools in Plesk
    The Plesk team is conducting a 60-minute research session that includes an interview and a moderated usability test.
    To participate, please use this link .
    Your experience will help shape product decisions and ensure the tools better support real-world use cases.

Question Control Panel in iFrame / X-Frame-Options

Linus

Linus

New Pleskian
In Plesk Onyx there wasn't any X-Frame-Options Headers at all, so it was easy to implement the control panel in our customer center as an iframe.

With the new obsidian release there are new Response headers:
Code: 
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

If we now create the users session by the plesk API the browser is blocking the request.
After changing the /etc/sw-cp-server/conf.d/plesk.conf and adding the header
Code: 
X-Frame-Options: allow-from account.company.com
the browser is still blocking the request.

Any ideas to fix this issue?
 
Hi,

You need to hide the fastcgi header:fastcgi_hide_header X-Frame-Options;
You can add it in /etc/sw-cp-server/conf.d/{something}_plesk.inc

If you wish to restrict iframe to a specific url use the following in the same file:
add_header Content-Security-Policy "frame-ancestors 'self' https://{URL};"
 
You must log in or register to reply here.

Similar threads

Y
Question Issue Implementing Dynamic CORS Headers in Plesk’s Additional NGINX Directives
Replies
1
Views
3K
yfain
Y
A
Question How to use Clear-Site-Data header rule to clear browser cache
Replies
2
Views
7K
AntoineW
A
D
Input How to run Magento 2 on Plesk Obsidian 18 without Docker
Replies
8
Views
9K
Isolde
I
N
Question NGINX & Wordpress(Woocommerce) Setup
Replies
0
Views
3K
nikosvl97
N
T
Issue Host settings and htaccess behavior in nginx proxy mode
Replies
3
Views
5K
Peter Debik
P
Back
Top