Adding HTTP Headers per WebPage

Christian_Wheel · July 23, 2025, 5:45am

Long story short, I have some WebPages that I want to be embeddable by an external site in an iframe, and some that I don’t.

On those WebPages that should be embeddable, I need to change the “Content-Security-Policy” http header in order to allow it. Is there a way to access the response headers from the WebPage?

It seems like response headers I set in HandleURL are ignored when it returns false to load a WebPage.

Tim_Dietrich · July 23, 2025, 6:15am

I’ve used “Self.Security.FrameEmbedding” to embed Xojo-based Web apps into NetSuite.

I wonder if that will work for you, too?

Christian_Wheel · July 23, 2025, 6:19am

Thanks Tim! That’s a nice workaround for now! But once I move to production I will need to control the list of domain names that are allowed to embed, and that will require access to the headers.

Ricardo_Cruz · July 23, 2025, 6:28am

Have you tried with WebSession.PreparingSession?

Christian_Wheel · July 23, 2025, 7:12am

Thanks Ricardo, but this gives me the HTML header, not the HTTP header.

Ricardo_Cruz · July 23, 2025, 7:39am

I clearly need some coffee

I’m not seeing any public API for what you need (modifying HTTP headers outside HandleURL), but you should be able to setup the Content-Security-Policy as a meta element in the HTML header:

But please open a Feature Request if you really need to modify the response headers.

Ricardo_Cruz · July 23, 2025, 7:44am

An example from MDN showing the HTTP header vs HTML meta tag:

// header
Content-Security-Policy: default-src https:

// meta tag
<meta http-equiv="Content-Security-Policy" content="default-src https:">

Marius_Dieter_Noetzel · July 23, 2025, 7:47am

We do these things on the Apache (or Nginx) Proxy in Front of Xojo Webapps.

Greg_O · July 23, 2025, 8:10am

@Christian_Wheel - if all you’re trying to do is protect browser access to your pages, you can accomplish what you want using a combination of what @Tim_Dietrich and @Ricardo_Cruz suggested.

First of all, Set the FrameOptions property to SameOrigin if you’re trying to restrict to just a domain that you control, otherwise use “Allow”.

Then in App.HandleURL (as opposed to session), you can control the whole HTTP response if the host is not of a domain that you accept:

Dim requestHost as string = Request.header("host")
// check to make sure it's allowed
If not allowed then
    Response.header("header-name") = "header-value"
    Response.Status = 404
    Return true // overrides the response
End If

Keeping in mind that app.handleurl will not let you override the URLs of an existing session or of any WebFiles whose Session property is set to nil. The docs should have notes about what you can and cannot intercept.

Christian_Wheel · July 24, 2025, 10:34pm

Thanks everyone… This seems like a good approach to secure an entire app. I’m looking for more granular control. How can I allow the embedding of WebPage1 in an iframe but not WebPage2?

Greg_O · July 24, 2025, 11:34pm

You’ll have to write some code to detect if your app is running in an iframe and then prevent it from showing. Remember, a WebPage in a Xojo app isn’t a page at all. It’s simply a new view drawn on top of the viewable area.

In Xojo-speak, it’s like a PagePanel with one container control per page.