Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
Embedding H5P content on a website with a different domain results in an error caused by the X-Frame-Options being set to 'sameorigin'.
Steps to reproduce
Try to embed an H5P in a website with a different domain.
Proposed resolution
Apply the attached patch which removes the X-Frame-Origin header for the h5p.content.embed route.
Remaining tasks
Review and apply the attached patch.
| Comment | File | Size | Author |
|---|---|---|---|
| h5p-x-frame-options-embed-2.patch | 2.43 KB | shaundychko |
Comments
Comment #2
shaundychkoThe D7 issue is #2612208: embed.php Cross-domain policy option
Comment #3
shaundychkoThe solution here of checking for the route name is more reliable than using regex as proposed in the related issue here: https://www.drupal.org/project/h5p/issues/2612208#comment-12476851