Custom Content Security Policy Headers

Is there a way to be able to add a custom Content Security Header?

I think this is a feature request, but at the same time is worth asking. I am looking to embed a public app with a Bubble GUI into that app’s native workspace. One of the things required when embedding as an iframe is the frame-ancestors header, to allow restriction on the domain in the session.

Is there a way to produce a dynamic header, with the frame-ancestors configured in a way that the domains were being pulled from the user account?

1 Like

Same problem here, embedding a public page but only wish to do this to approved domains, requiring a content security policy http header.

Has anyone managed to create a workaround for this?

1 Like

Any solution?

1 Like

Hello, you can solve this by going to:

Settings > General > “Allow to render the app in a frame/iframe” → Dropdown options

Dont forget to Deploy the app also.

It worked here :slight_smile:

1 Like

Resposta em português para futuros brasileiros:

Dá pra resolver isto nas configurações do App no editor do Bubble, indo em:

Settings > General > “Allow to render the app in a frame/iframe” → Dropdown options

Não esquecer de dar deploy

Aqui funcionou :slight_smile:

1 Like

Fala Thiago, blz?

Sim, conheço essa configuração, porém as headers que me refiro são:

newResponse.headers.append(“Strict-Transport-Security”, “max-age=2592000; includeSubDomains; preload”)
newResponse.headers.append(“X-Xss-Protection”, “1; mode=block”)
newResponse.headers.append(“X-Frame-Options”, “DENY”)
newResponse.headers.append(“X-Content-Type-Options”, “nosniff”)
newResponse.headers.append(“Content-Security-Policy”, “upgrade-insecure-requests”)
newResponse.headers.append(“Referrer-Policy”, “no-referrer”)

Preciso implementar essas