"Embed in Frames" option should have a list of URLs that can embed the application

james.westman Public · Aug 20 2025

Idea Summary
APEX currently has an “Embed in Frames” option under Shared Components → Security Attributes → Browser Security. It works by setting the X-Frame-Options header.

It would be nice to be able to allow specific trusted websites to embed an APEX application, without reducing security by allowing any site to embed it. This would be possible by also setting the Content-Security-Policy header for browsers that support it (all major browsers at this point).

Use Case
This would be useful for things like dashboards or forms that you might need to embed in another website you control, but that shouldn't be generally embeddable by anyone.

Preferred Solution (Optional)
The Content-Security-Policy header's frame-ancestors directive would be the way to implement this.

This is a great idea! You can already achieve this in APEX today with a slightly different approach.

Comments

vincent morneau Admin OP 14 hours ago

This idea seems to wrap two ideas into one. Ultimately you should be able to achieve this today by writing your own HTTP Response Headers. There are too many variations for APEX to offer them out of the box, and it should be the application's responsibility to define them.

2 Voters

"Embed in Frames" option should have a list of URLs that can embed the application

Feature

Comments

Comments