Problem/Motivation

We have setup a second domain to satisfy the oEmbed iframe warning. The second domain (www3.*) is fully functional with valid SSL certificate etc. and the URL is added to the Media settings configuration (/admin/config/media/media-settings) as "https://www3.xxx.xx.xx". However, when page with oEmbed content is loaded in the client browser, iframe is refusing to load the embedded content.


CommentFileSizeAuthor
Screenshot_2022-08-04_18-03-35_Original.png47.11 KBjmouse888
Screenshot_2022-08-04_18-03-13_Original.png57.23 KBjmouse888
Screenshot_2022-08-04_18-04-17_Original.png106.56 KBjmouse888

Comments

jmouse888 created an issue. See original summary.

cilefen’s picture

cilefen commented
Status: Active » Postponed (maintainer needs more info)

Drupal 8 is unsupported.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Check your CSP headers

jmouse888’s picture

jmouse888 commented

@cilefen Sorry, this is actually on D9 latest. Set the version to 8.9x-dev because the issue has existed since 8.9x. I will update the version.

@larowlan I did try to set CSP but not sure if it's helping. Could you give me a bit more details on what to put and on which site? I have set CSP on the parent site (www) and on the oembed site (www3). neither is helping. Could you give some examples? in this case, say the original site is www.example.com, and oembed site is www3.example.com, and the video content is a youtube video. What should the CSP tag look like and on which site should it be set? Thanks a lot for the help!

jmouse888’s picture

jmouse888 commented
Version: 8.9.x-dev » 9.5.x-dev
Status: Postponed (maintainer needs more info) » Active
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Related issues: +#3075685: Should "iFrame domain" also set "X-Frame-Options" header

This is related to, and perhaps, a duplicate of #3075685: Should "iFrame domain" also set "X-Frame-Options" header . Core sets X-Frame-Options: SAMEORIGIN by default, which means content cannot be embedded from other domains, which is at odds with this feature.

The comments in that issue suggest setting a CSP header can override X-Frame-Options.

cilefen’s picture

cilefen commented

What does the browser console log?

jmouse888’s picture

jmouse888 commented

Got it to work!

I installed the CSP module and added "*.example.com" to "frame-ancestors".

So to sum up for those struggling to get this to work:

  • https://www.example.com is the parent domain (i.e. main website)
  • oembed domain set in /admin/config/media/media-settings is "https://www3.example.com"
  • make sure both sites are set up correctly. i.e. SSL certificates are valid and you don't get any errors if you load the site from https://www.example.com and from https://www3.example.com
  • in CSP config (/admin/config/system/csp) under "Enforced", set "frame-ancestors" to Self and additional sources to "*.example.com"

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

cilefen’s picture

cilefen commented
Status: Active » Closed (works as designed)