Hey guys,
Just wondering if anyone can shed some light on (what could be) a (possible) site security issue …
For a standard site, probably not a big deal but when you’re dealing with money, you want to minimize all risks …
I want to block my bubble app from being embedded into an iFrame but also give it an exception (of the main domain), i.e. bubbleapp.maindomain.com >> allow to be iFrame embedded into maindomain.com (Only).
Bubbles current (X Frame) options;
“Same Origin” doesn’t apply here.
After a little investigative journey, it appears “Content Security Policies” are preferred for all newer browsers as X-Frame policies are being depreciated.
I’m not a coder (hence why I love Bubble), but I’ve been trying to figure out how to use Content Security Policies within Bubble by adding something like this in the scripts header >> Settings >> SEO / metatags >> Script/metatags in header >>
AND/OR…
Problem is, it appears Bubbles X-Frame options override any scripts in the meta header OR there’s something wrong with my script (probably the later)…
OR is there a better place to add the security policy in the server files somewhere?
Testing using a nifty little tool, this is what’s being returned;
So I’m a bit stuck on how to block iFrame embeds while allowing exceptions … if anyone has some more insight, I’m sure the community would be interested also …
Thank you,