The page editor is setup and works in dev, but on live when requesting the page in the editor
domain.com/cmsctx/pm/... adds the header Content Security Policy set to frame-ancestors self.
But on dev its set up frame-ancestors www.domain.com admin.domain.com.
Any idea what drives this setting and why it would differ in live?
Do you have any administration domain aliases set maybe? Could those be different on dev vs prod?
No domain aliases empty on both.
The only difference really is the prod is behind Azure App Gateway.
So I've solved by getting it to add the headers on response. But ideally would like to resolve properly.
We had similar problems using Azure Front Door. Leaving the "Backend host header" empty fixed it for us.
Thank you for your response Jeroen, but I need the backend host headers to correctly route to app service
Please, sign in to be able to submit a new answer.