Hi there,
It looks like Netlify changed its default headers. In particular, setting X-Frame-Options; DENY. This is a breaking change! My app relies on an iframe that users can add to their websites. Setting X-Frame-Options; DENY prevents the app from loading. Unfortunately, there is no way to unset X-Frame-Options;, i.e. X-Frame-Options; ALLOWALL isn’t a valid value. Please advise!
Website: https://outdoorstatus.com/
I figured it out. It turns out Netlify now automatically injects the Netlify Adapter for Gatsby websites! This in turns disables the existing gatsby-plugin-netlify plugin and sets default headers including X-Frame-Options; DENY.
Here is a sample of my build log on Netlify:
10:13:56 AM: warning Disabling plugin gatsby-plugin-netlify:
10:13:56 AM: - Not compatible with the gatsby-adapter-netlify adapter. Please remove it from your gatsby-config.
The solution is to override the headers option inside gatsby-config.
It would have been nice to get a heads-up before making that change!
For the Redash project we found that we could overcome this by setting the Content-Security-Policy header in gatsby-config.js
headers: [
{
source: '*',
headers: [
{
key: 'Content-Security-Policy',
value: 'frame-ancestors *;',
},
],
},
],
This works because X-Frame-Options is obsolete: