Hi there, It looks like Netlify changed its default headers. In particular, setting X-Frame-Options; DENY. This is a breaking change! My app relies on an iframe that users can add to their websites. Setting X-Frame-Options; DENY prevents the app from loading. Unfortunately, there is no way to unset…

I figured it out. It turns out Netlify now automatically injects the Netlify Adapter for Gatsby websites! This in turns disables the existing gatsby-plugin-netlify plugin and sets default headers including X-Frame-Options; DENY. Here is a sample of my build log on Netlify: 10:13:56 AM: warning Dis…

Breaking change: X-Frame-Options set to DENY

Support

ericshane June 29, 2024, 7:09pm 3

For the Redash project we found that we could overcome this by setting the Content-Security-Policy header in gatsby-config.js

  headers: [
    {
      source: '*',
      headers: [
        {
          key: 'Content-Security-Policy',
          value: 'frame-ancestors *;',
        },
      ],
    },
  ],

This works because X-Frame-Options is obsolete:

Topic		Replies	Views
Invalid 'X-Frame-Options' header encountered when loading 'https://store.duxiana.com/': 'allow-from https://store.duxiana.com/' is not a recognized directive. The header will be ignored.Understand this error chrome-error://chromewebdata/:1 Refused to disp Support deployment , gatsby	14	1206	August 26, 2024
Change the HEADER X-Frame-Options to one of my environments Support deployment , headers	12	5740	August 3, 2024
X-frame-options header not updated - Cached headers? Support deployment , headers	1	1451	January 1, 2021
Updated Headers Via gatsby-plugin-netlify & @netlify/plugin-gatsby - referrer header with domain not being set as before in iframe src urls Support deployment , gatsby , headers	2	603	October 17, 2023
Remove inherited header applied by splat path in _headers Support headers	21	2695	April 30, 2021

Breaking change: X-Frame-Options set to DENY

Related topics