We are currently using webflow as a tool to allow the rapid development of simple web resources by non developers. Rather than requiring dns configuration for every tool we are using the CMS hosting level and using custom internal proxying to serve resources on our own domain.
I understand that iframe usege is blocked on free hosting, however, since our account is being run at the paid level I would assume that the “Use Secure Frame Headers” being disabled would allow for embedding of the resource.
However that does not seem to be the case.
Requesting the resource has a header of
Content-Security-Policy frame-ancestors 'self' https://*.webflow.com http://*.webflow.com http://*.webflow.io http://webflow.com https://webflow.com
Clearly this can be extracted (or replaced) with our internal tooling, but I am curious if that toggle is not meant to do anything?