Do you know specific case, like you have a site without SameSite cookie attributes or what?
Cookies with a SameSite attribute of either strict or lax will not be included in requests so it's already a good prevention. Does anyone modern days use none?
What's SameSite cookie attributes? does it solve the embeding problem and is it easy to setup in webstudio?
clickjacking is valid if it's used during some login process, etc. So some actions will be executed on user behalf
So user need to be logged in
SOmewhere, i.e. have cookies
We don't have sessions or logins, so Ive asked about specific uecase you have
Ok gotcha to have A point from some tool -) it's valid concern, we will check
We will try to add it ASAP
Ok. It's not that I care about having x frame options, it's more of protecting my site from clickjacking, and if there's anything I can do protect against that
Hi, Ivan! I noticed that my iframe embedding for my Webstudio site stopped working on my Weblium site, possibly after your recent update to enhance clickjacking protection. Could you please advise on how I can modify the security settings to allow embedding on specific trusted sites (e.g., my Weblium site)? If there’s a way to configure the Content-Security-Policy or X-Frame-Options headers to permit this while maintaining security, I’d appreciate your guidance.
interesting situation, may I ask what is the use case? why are you embedding webstudio site inside weblium site?
Hi, Oleg! The embedded Webstudio page displays a list of upcoming events pulled from an Airtable base. My client prefers a no-code/low-code solution to manage their site independently, so I initially used Weblium for the main platform and Webstudio for the event list embed. At the time, Webstudio’s content mode wasn’t available, so this setup was the best option. If there’s a way to enable iframe embedding for trusted sites like my Weblium project, I’d appreciate your advice!
right now there is none, we will whitelist your project and then consider adding an option
Yes, it's working now. Thank you both!!
@Ivan Starkov and @Oleg Isonen, I just noticed this, you are the goat! thanks a lot!
We actually lost a use case where some people need to be able to embed their site in the iframe. Not sure this was the right move to have the restriction by default.
It should have been an opt-in feature.
I am still considering removing it by default and letting users opt-in via settings.
after our conversation, I also realized that as well, but if it was an option for each website, it would be great
I will ping you directly if we decide to add the setting and remove the default, so you can switch.
Yeah having a control if we can embed or not would be really helpful. Facing this issue now.
definitely, especially you want to be able to decide where you want to allow embedding
@Oleg Isonen do you have an ETA for this feature?
is there a way i can make this work?
i.e. allowing embedding within posthog only
Yes, ATM by overriding it yourself on cloudflare
How? I don’t have control over this website’s dns
Can’t add it to cloudflare
you don't have access to website's registrar settings?
No my client has a webmaster in charge of this
well to use cloudflare they would need to set nameserver to cf and then be able to use all the stuff at cf for free
including overriding headers
I’m not sure they’re willing to do this. Their main domain name is hosted on WPEngine. I made them create a subdomain for webstudio only.
If I tell them to change name servers it could mess with their main domain hosting no?
Or can I just add the subdomain to cloudflare?
there are probably other ways to use cf to override the headers
For future use cases can you tell me what kind of headers I should set up ?
this is the standard x-frame-options header
without it your website can be clickjacked, so it needs to be either same origin or a specific other origin where you want to embed it
