Well, after reading lots of threads, I already know the X-Frame option is set to SAMEORIGIN, hardcoded in
server / lib / private / legacy / response.php.
I tried editing it, and also adding this Nginx directive (I’m using Plesk)
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "";
and also in my HTTPs directives in Apache, but none of them seem to allow my other domain I’m trying to allow. I’ve also restarted apache and nginx, but I still can’t iframe my media file in the <audio> tag. What’s the correct way to allow a specific domain, or what am I missing?