[FIXED] What http headers are related to iframe loading ? nuxt-helmet

Issue

I wanted to know what security headers are related to iframe loading and may cause that iframe doesn't get loaded

I used nuxt-helmet to set security headers in my nuxt project and it caused that when I upload my site to the server locally and with using Nginx to reverse proxy to a domain address iframes doesn't get loaded

I think it's because some headers are set to same-origin but my project runs on localhost and gets proxied to the domain by Nginx so same-origin doesn't get applied here !? Am I right !?

anyways when I disabled nuxt-helmet iframes got loaded

The site that I'm working on is this-> https://app1.tabachain.com/blog

now nuxt-helmet is disabled but I'm looking to know what header cause an iframe doesn't get loaded?

nuxt-helmet sets these headers but I am not familiar with all of them !

Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0

As I checked problem isn't from x-frame-options header cause I disable it in nuxt helmet config totally and still I've same issue you can visit the site now and see headers there too

Solution

I found that my issue was because of this header: Cross-Origin-Embedder-Policy: require-corp

I fixed this issue by disabling it with nuxt-helmet configs

helmet: {
    crossOriginEmbedderPolicy: false,
},

The issue wasn't from x-frame-options

Answered By - Mehdi Rafiee

Answer Checked By - Marilyn (PHPFixing Volunteer)