I would like to share a specific and custom Collection View to be embedded by other websites (using an iframe) and came across some „problem“:
X-Frame-Options seems to be set empty or allowall (or alike) which means ALL content could be embedded - not so good.
this view has a contentfilter portlet, which does not fire events when inside an iframe (after setting plone-x-frame-option to empty in zope.conf).
As i don‘t want to allow all content to be used inside iframes, the x-frame-options doesn‘t fit the bill.
is there any other way to only allow sharing a specific view (ideally to specific domain-names) and/or piece of content?
…like: via controlpanel, via plone.protect on a custom view, via a behavior on the collection type or something else?
i hope, i didn‘t miss any solutions by searching here and github
please help me and get my nose pointing the right direction in order to achieve <3
Unless you want to 'redo a bit of the programming of collectionfilter', you might be able to make a custom view, basically duplicating the one you use but remove/change the line that says
I will try a custom view that sets the response headers x-frame-options - that will at least reduce the risk of clickjacking the entire website down to a few pages.
additionally I could add a list field to add allowed domains, so only those the the response header set. maybe worth a try.
I already did a view template using the master macro from main_template.
thank you for the ajax_load hint - will try that too.
a rest api would add overhead as the collection page is styled and done. I need this to be embed-able so no further stuff needs to be done on the other end(s).
I will try a custom view that sets the response headers x-frame-options - that will at least reduce the risk of clickjacking the entire website down to a few pages.
additionally I could add a list field to add allowed domains, so only those the the response header set. maybe worth a try.
I already did a view template using the master macro from main_template.
Try without including that (macro) line.
You dont need header, footer etc .
Also check out ‘fill-slots’.
I am not sure where the docs about fill-slots are, try googling it.