we received reports the other day that the widget have stopped working and after some review we discovered the X-Frame-Options header that is now included in the newest release of plone.protect (we're using v3.0.18).
we changed this header adding the following to the browser view __call__() method:
@davilima6 this is for me not working because of a mix of https and non https -> heroku uses ssl and the iframe not, so firefox is blocking the content of the iframe
Well indeed if you change the link I posted to https the widget stops working. I confirm that. No matter what browser.
Besides I noticed they don't have an https version of the site. I guess if they had it would work for all by omitting the protocol from the iframe source when advertising the widget.
Why did you have to create a widget? Why not use ? Asking because that's what I'm using on Plone 5.0 test instance. Should I not be using that? As long as the "http" part matches for both sites, it works.
thank you for your feedback, guys; in fact, in my case, a browser plugin (Privacy Badger) was blocking the iframe content and it was driving me mad.
@vangheem how can I avoid the protect.js script for being added at the end of this browser view?
BTW, I was reading yesterday about Content Security Policy Level 2 and saw the X-Frame-Options header is already deprecated in favor of the frame-ancestors directive.
@3dogMcNeill the iframe is used to insert content in other Government or third party sites; the widget is used to select what content you want to include in the iframe.