Is it possible to add a Content-Security-Policy response header to landing pages? I would like to use the frame-ancestors directive to allow specific hosts to embed our Marketo landing pages while disallowing all others. The "Do not allow Marketo pages to be embedded in external web pages" setting seems to suggest that the options are to allow 1) same origin web pages only or 2) all external pages. We have our Marketo landing pages on one subdomain and embed some of these landing pages in iframes on another subdomain. For our use case to work, we cannot restrict frame ancestors to pages from the same origin, but allowing all external web pages seems too lax from a security standpoint.
Solved! Go to Solution.
Thanks for confirming. We are planning to migrate the landing pages from Marketo to our CMS for better design consistency. Added bonus: the CMS has all the web security headers in place.