Re: Content Security Policy response header on landing pages

angelalau · ‎08-17-2021

Is it possible to add a Content-Security-Policy response header to landing pages? I would like to use the frame-ancestors directive to allow specific hosts to embed our Marketo landing pages while disallowing all others. The "Do not allow Marketo pages to be embedded in external web pages" setting seems to suggest that the options are to allow 1) same origin web pages only or 2) all external pages. We have our Marketo landing pages on one subdomain and embed some of these landing pages in iframes on another subdomain. For our use case to work, we cannot restrict frame ancestors to pages from the same origin, but allowing all external web pages seems too lax from a security standpoint.

SanfordWhiteman · ‎08-18-2021

I’m not aware of a way to add the CSP header. Certainly there is no way to do it in the UI; it would have to be configured by Support if done at all. You might open a case just to be sure.

View solution in original post

SanfordWhiteman · ‎08-18-2021

I’m not aware of a way to add the CSP header. Certainly there is no way to do it in the UI; it would have to be configured by Support if done at all. You might open a case just to be sure.

angelalau · ‎08-27-2021

Thanks for confirming. We are planning to migrate the landing pages from Marketo to our CMS for better design consistency. Added bonus: the CMS has all the web security headers in place.