XOM
Embedding Guide

Site Embedding & Proxy

XOM's Web Container loads external websites directly inside your feed. Some sites block iframe embedding by default — here's why and how to fix it.

⚠️ Why is the site not loading?

The website you linked has set X-Frame-Options: DENY or a Content-Security-Policy header that prevents it from being loaded inside any iframe. This is the external site's configuration, not an XOM issue.

🔧 How to allow embedding

If you own the site, update your server headers to allow XOM to embed it:

1
Remove X-Frame-Options

Delete the X-Frame-Options: DENY header from your server config, or change it to allow specific origins.

2
Add Content-Security-Policy

Add this header to whitelist XOM:

Content-Security-Policy: frame-ancestors 'self' https://xom-b4cff.web.app https://xom.app
3
Redeploy your site

Push the header changes to your hosting provider (Vercel, Firebase, Netlify, etc.) and the site will load in XOM immediately.

📋 Quick config by platform

Vercel (vercel.json)
"headers": [{ "source": "/(.*)", "headers": [{ "key": "Content-Security-Policy", "value": "frame-ancestors 'self' https://xom-b4cff.web.app https://xom.app" }] }]
Firebase (firebase.json)
"headers": [{ "source": "**", "headers": [{ "key": "Content-Security-Policy", "value": "frame-ancestors 'self' https://xom-b4cff.web.app https://xom.app" }] }]
Nginx (nginx.conf)
add_header Content-Security-Policy "frame-ancestors 'self' https://xom-b4cff.web.app https://xom.app";
Netlify (_headers)
/*
  Content-Security-Policy: frame-ancestors 'self' https://xom-b4cff.web.app https://xom.app

💡 FAQ

What if I don't own the site?

Unfortunately, you cannot embed sites you don't control if they block iframes. Try linking to them with a standard URL post instead.

Will the proxy mode help?

XOM's proxy mode can bypass some restrictions, but many sites block proxy requests too. The most reliable fix is updating the site's headers.

Is this a security risk?

No — allowing iframe embedding for specific trusted domains (like XOM) is standard practice. The frame-ancestors directive ensures only the domains you list can embed your site.

Does this affect my site's SEO?

No. Content-Security-Policy headers do not impact search engine indexing or SEO performance.

Need help? Contact us at support@xom.app

© 2026 XOM — eXperience Over Media