iFrame got blocked after update WordPress 6.9

2 days ago 5
ARTICLE AD BOX

Pro-tip: Remove conflicting headers first

Starting from WordPress 6.x, the core might be more aggressive in sending the X-Frame-Options: SAMEORIGIN header, which often conflicts with frame-ancestors. When both are present, the browser will follow the most restrictive one.

To fix this, you should remove the default X-Frame-Options and use send_headers hook which is the dedicated way to handle this in WordPress.

Try this snippet in your functions.php:

add_action('send_headers', function() { // 1. Remove the default WordPress header to prevent conflicts header_remove('X-Frame-Options'); $app_domain = 'https://example.com'; // 2. Validate the referer or origin // Note: HTTP_REFERER can be unreliable. Checking the Origin is often safer. $referer = $_SERVER['HTTP_REFERER'] ?? ''; if (strpos($referer, $app_domain) !== false) { // Allow the specific subdomain/domain header("Content-Security-Policy: frame-ancestors 'self' " . $app_domain); } else { // Fallback to self only header("Content-Security-Policy: frame-ancestors 'self'"); } }, 1);

Amr Elsayed's user avatar

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Read Entire Article
  3. iFrame got blocked after update WordPress 6.9

Related

PayPal Orders API: shipping.options not persisted / PATCH replace fails when shipping address is missing

PayPal Orders API: shipping.options not persisted / PATCH replace fails when shipping address is missing

Link in email with "=ed" being removed from links

Link in email with "=ed" being removed from links

Get WordPress post_id to use in post_meta action with 1 form

Get WordPress post_id to use in post_meta action with 1 form

LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.