I have struggled for days using Wordpress Multisite and a Wordpress theme called “Elementor”. It works great on the main site but not on subdirectory sites due to cross-site scripting errors that point to the X-Frame-Options: DENY setting that is forced by Letsencrypt and results in these errors:
Blocked a frame with origin “https://www.yourwebsite.com” from accessing a cross-origin frame.
Permission denied to access property “elementorFrontend” on cross-origin object
The usual fix for this is to set X-Frame-Options: SAMEORIGIN in the .htaccess file. I tried that and the same errors persisted. I thought it might be the Apache 2 service or the Nginx service because both of them can also have a setting for this issue.
Ultimately, I became aware that LetsEncrypt has that X-Frame-Options: DENY setting to protect all of the sites it encrypts with SSL.
It is a good thing because it prevents “ClickJacking” if not properly setup on a website.
For me it is a big inconvenience because the Elementor theme doesn’t work without the proper X-Frame-Options: SAMEORIGIN setting in a WordPress Multisite situation.
Everything in the Wordpress Multisite environment works as it should when only using HTTP but LetsEncrypt’s best intentions stop some wonderful software from working.
If LetsEncrypt would provide a way to override that setting it would solve a problem that has been vexing users for years.
I can bypass the issue by paying for SSL certificates that don’t use Letsencrypt but that would get expensive very quickly in a multisite environment.
The only other way to make this all work at this time is to not use SSL certificates but then nobody woudl actually trust the sites with all that Chrome has done to force SSL now for every site.