Director Tab >> Content Security Tab

Director Tab >> Content Security Tab (Reference)

Company Preferences >> Director Tab >> Content Security Tab
Company Preferences >> Director Tab >> Content Security Tab

The Content Security Tab of the Director Tab managed how your Ticketing Site can and cannot be included in another site via iFrames.

xFrame Option

The options are:

  • OFF
    • Doesn't include headers at all
    • Everyone can put your site in an iframe
  • SAMEORIGIN
    • Only the exact same domain can use iframes
  • DENY
    • No one can put your site in an iframe OR
    • Specify any number of URLs that you would like to use (which includes same domain in addition to what you specify)

The implementation works by using the more modern Content-Security-Policy HTTP header, but it still includes the X-Frame-Options HTTP header both to pass your PCI test and to support legacy browsers.

Unfortunately, the X-Frame-Options HTTP header does not support specifying multiple domain names, so in that case, older browsers will only be able to see iframes if they are from the same domain even if you specify multiple domains in Theatre Manager.

We are passing both Content-Security-Policy and X-Content-Security-Policy and using Content Security Policy 1.0. This gives support in most browsers so the fallback issues are limited to a very small number of browsers.


Allowable URLs

When a list of allowable URLs is specified, enter the URLs that you want in this space, separated with a comma.