SOLVED

Content Security Policy response header on landing pages

Go to solution
angelalau
Level 1

Content Security Policy response header on landing pages

Is it possible to add a Content-Security-Policy response header to landing pages? I would like to use the frame-ancestors directive to allow specific hosts to embed our Marketo landing pages while disallowing all others. The "Do not allow Marketo pages to be embedded in external web pages" setting seems to suggest that the options are to allow 1) same origin web pages only or 2) all external pages. We have our Marketo landing pages on one subdomain and embed some of these landing pages in iframes on another subdomain. For our use case to work, we cannot restrict frame ancestors to pages from the same origin, but allowing all external web pages seems too lax from a security standpoint.

1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: Content Security Policy response header on landing pages

Iā€™m not aware of a way to add the CSP header. Certainly there is no way to do it in the UI; it would have to be configured by Support if done at all. You might open a case just to be sure.

View solution in original post

2 REPLIES 2
SanfordWhiteman
Level 10 - Community Moderator

Re: Content Security Policy response header on landing pages

Iā€™m not aware of a way to add the CSP header. Certainly there is no way to do it in the UI; it would have to be configured by Support if done at all. You might open a case just to be sure.
angelalau
Level 1

Re: Content Security Policy response header on landing pages

Thanks for confirming. We are planning to migrate the landing pages from Marketo to our CMS for better design consistency. Added bonus: the CMS has all the web security headers in place.