Update: The x-frame-options have been removed in v5.1.0 because the cookies config is not the correct context for this setting.
Another new version of TypeRocket is now available with the new service class TypeRocket\Services\SecureAuthCookiesService. This class allows you to control how WordPress handles authentication and login cookies. This service is not required or enabled by default. However, if you want to make your WordPress authentication cookies more secure or less secure, this service is designed to do just that.
There are a few use cases for this service:
- You want to force all authentication cookies to require HTTPS and
SameSite=Strict. This is helpful when you need to ensure the highest level of security. - You want to embed the WordPress admin on a site within an iframe. For example, maybe you want to convert WordPress into an embeddable Shopify application that requires "iframing".
To start using the service, you must use the overrides folder system or a composer install. Then add the class to your app.services config list. Next, to configure the service options add the newcookies.php config file to your existing config folder overrides.
# remove x-from-options manually
remove_action('admin_init', 'send_frame_options_header');
remove_action('init', 'send_frame_options_header');
remove_action('login_init', 'send_frame_options_header');