Skip to content

Releases: getkirby/kirby

4.0.0-rc.1

10 Nov 09:58
da7346e
Compare
Choose a tag to compare
4.0.0-rc.1 Pre-release
Pre-release

✨ Enhancements

  • Exclude UI docs and lab from regular bundle #5909
  • k-stat supports new icon prop #5908
  • Tweaked style of Toggle input #5916
  • k-header: add warning for removed tabs support #5918
  • New activation tooltip and better design for the activation button in the menu. #5921
  • Switch to “Activate” wording instead of “register” #5922
  • Dom: New allowHostRelativeUrls sanitization option (true by default) to perform less strict checks when the HTML <base> element is used
  • Dom: Custom sanitization callbacks for attributes, elements and the doctype now also receive the $options array
  • Sane: New $isExternal mode specifically for external files that may be accessed directly

🐛 Bug fixes

  • Calendar input dropdown doesn't close without effect on click
  • Calendar input dropdown stays open when selecting a date
  • Calendar input dropdown: when clicking today button, also update the dropdown to show that date
  • Clicking a button in the textarea no longer changes the scroll position #5906
  • The textarea restores the size again after reverting changes #5871
  • The textarea scrolls to a new line again #5868
  • Removes breaking change: this.$library.autosize is back
  • Fix grid and border radius in the TOTP dialog #5911
  • Fix drag to empty blocks list #5910
  • UUID permalinks added via the link dialog of the writer field are no longer removed in subfolder setups #5208
  • Structure fields with gap fields can be added again
  • The pagination dropdown no longer disappears before a selection can be made #5940
  • Fix field states without options #5947
  • Page move dialog: fix currently selected #5573
  • Highlight selected values in multiselect field instead of hiding them #5744
  • Fix keyboard navigation in the Tags field filter input #5741
  • Proper scrolling overflow in the Multiselect and Tags dropdown #5627
  • Fixed overflow issue for the Multiselect and Tags dropdown on mobile #5629
  • Fixed tags field focus issue #5939

🚨 Breaking changes

  • When sanitizing DOM objects (e.g. in the writer field, but not
    during the sanitization/validation of uploaded files), host-relative
    URLs that point outside the site root are now allowed as the use of the
    HTML <base> element is assumed for sites in a subfolder. To revert to the old, strict behavior, set the allowHostRelativeUrls option to false.
  • New $isExternal argument for the Sane\Handler::sanitize() and ::validate() methods that custom Sane handlers need to implement; it allows to
    differentiate between strings from external files that may be accessed
    directly and strings that will end up directly on the page

3.9.8-rc.1

07 Nov 11:27
1ce4180
Compare
Choose a tag to compare
3.9.8-rc.1 Pre-release
Pre-release

🎉 Features

  • New A::every(), A::find() and A::some() methods that implement the functionality of the JavaScript functions with the same names (thanks to @rasteiner) #5724
  • New option to add a CLI specific config file (thanks to @lukaskleinschmidt) #5581
// config.cli.php
return [
    'option.one' => 1,
    'option.two' => 2,
];

✨ Enhancements

  • The System view in the Panel now warns when the used PHP version is end-of-life and no longer receives security updates. #5728
  • Files with the .pht extension can no longer be uploaded to a Kirby site to provide additional protection in older server setups beyond our recommendations in the security guide (thanks to @akabe1). #5925

🐛 Bug fixes

  • Blocks field: pasting HTML does not remove crucial spaces anymore in inline contexts #4702
  • The "Session ... is currently read-only because it was accessed via an old session" error is circumvented when the PHP sodium extension is available #5319
  • $collection->remove() and $collection->__unset() in Toolkit collections behave like $collection->set()/$collection->__set() by default and ignore the key case #5704
  • Append copy suffix of duplicated pages #5787
  • Fix searching for Unicode characters #5780
  • The backup copy of changed content now includes a JSON output for fields with structured data instead of scrambled data. #5791
  • The validation error "Please enter a date between ... and ..." for the date field now correctly includes the maximum date. #5920

4.0.0-beta.3

02 Nov 14:28
cb45cea
Compare
Choose a tag to compare
4.0.0-beta.3 Pre-release
Pre-release

🎉 Features

Second-factor auth via time-based one-time codes

TOTP (time-based one-time codes) are now supported for two-factor authentication via the new Kirby\Toolkit\Totp class #5654

<?php 
// /site/config/config.php

return [
  'auth' => [
    'methods' => [
      'password' => ['2fa' => true]
    ]
  ]
];
270112837-ff0bc4d4-5649-4a90-b853-db5de432ec2c

PHP 8.3 support

Kirby 4 now supports PHP 8.3 and drops support for PHP 8.0. #5774

New Panel Lab

d3a7840f-6191-4f43-b653-b93debde3dfd

Syntax highlighting in the k-code with prism

f1290475-b7f8-4739-a5d5-dd3cb68b2118

New Str::camelToKebab method

<?= Str::camelToKebab('fooBar') // output: foo-bar ?>

New k-text-drawer

this.$panel.drawer.open({
  component: "k-text-drawer",
  props: {
    text: "Hello world"
  }
});

New lab icon

67f6794e-2966-4e40-a07a-4dfd658b5e78

Plugin assets get easily exposed via the PHP API #5641

  • New $plugin->assets() collection
  • New $plugin->asset('styles.css') method
  • New PluginAsset object with many methods, e.g. $plugin->asset('styles.css')->url()
  • Plugin asset's media url contains a modification timestamp to easily cachebust (e.g. https://getkirby.com/media/plugins/getkirby/test-plugin/2375797551-472389240/styles.css)
  • css() and js() helpers support passing plugin and plugin assets objects to include all assets of the plugin
css([
  'assets/css/index.css',
  $kirby->plugin('foo/bar')
]);

css([
  'assets/css/index.css',
  $kirby->plugin('foo/bar')->assets(),
]);

css([
  'assets/css/index.css',
  $kirby->plugin('foo/bar')->asset('styles.css'),
]);

New SymmetricCrypto class

User-friendly and safe abstraction for symmetrical authenticated encryption using the PHP sodium extension

use Kirby\Toolkit\SymmetricCrypto;

// encryption/decryption with a password
$crypto     = new SymmetricCrypto(password: 'super secure');
$ciphertext = $crypto->encrypt('a very confidential string');
$plaintext  = $crypto->decrypt($ciphertext);

// encryption with a random key
$crypto     = new SymmetricCrypto();
$ciphertext = $crypto->encrypt('a very confidential string');
$secretKey  = $crypto->secretKey();

// encryption/decryption with a previously generated key
$crypto     = new SymmetricCrypto(secretKey: $secretKey);
$ciphertext = $crypto->encrypt('a very confidential string');
$plaintext  = $crypto->decrypt($ciphertext);

More

  • New F::safeExtension() method #5760
  • New F::safeBasename() method #5760
  • New $date->formatWithHandler() method for Kirby date objects that allows to use different date handlers or even the globally configured one (default).

✨ Enhancements

  • panel.menu config option can be a closure now that receives the $kirby object as argument
  • Floating notifications #5600
  • Tweaked styles for choice inputs #5756
    checkbox
    radio
    toggle
  • UX improvements for the multiselect and tags inputs #5742
    • Remove the label on top of the selector.
    • Don't show "no options" when query doesn't show any matches and
      creating a new option is allowed. The create button already provides
      enough context of what action is available. For accept: options keep the empty text to give context what's happening.
    • When replacing an existing tag that is an option, the replace button no longer shows #5743
    • Fixed disable state #5749
    • Text block: consistent padding for writer #5727
  • Items without links will now automatically be disabled in the breadcrumb
  • Search inputs: turn off autocomplete #5775
  • Str::date() and its dependents (e.g. F::modified(), File::modified(), Dir::modified()) now respect the globally configured date handler
  • Upgrade to Symfony YAML to v6 #5778
  • The "Session ... is currently read-only because it was accessed via an old session" error is circumvented when the PHP sodium extension is available #5319
  • Removed the error boundary from k-fieldset The error boundary kills the entire field/input if an error occurs, which is way too aggressive and also makes it more difficult to handle errors properly. #5790
  • New k-stat component #5801
  • New layout prop mixin #5802
  • New dumb k-toolbar #5806
  • k-navigate: support custom HTML element via element prop
  • Textarea supports toggling command, e.g. bold, code… #5837
  • New items size full #5849
  • New panel.isOffline state
  • Checking and writing content lock is skipped when Panel is offline #5890
  • Fix PluginAssets::clean() #5836
  • Writer supports directly switching from a list to paragraph #5886
  • New $helper.field.defaultValue(field) method
  • Better default value creation in $helper.field.form(fields)

🐛 Bug fixes

  • $site->search() allows to provide a string with field names as $params again #5713
  • Exceptions don't prefix i18n keys with error prefix if already prefixed
  • $collection->remove() and $collection->__unset() in Toolkit collections behave like $collection->set()/$collection->__set() by default and ignore the key case #5704
  • Keep layout settings after changing layout #5726
  • Link field: doesn't display site as option anymore #5717
  • Writer: adding link, insert text when no selected #5684
  • Disabled calendar and time pickers in disabled date and time fields #5735
  • Fix custom writer marks and nodes name #5733
  • Options, e.g. page options, won't override other roles' permissions anymore #5759
  • The tags and multiselect fields hide the add button when disabled #5723
  • Page create dialog: validate fields when directly publishing to not create orphaned page on errors #5616
  • Selector dropdown: fix glitch when resizing window #5746
  • Heading block: support toolbar option for writer #5703
  • Consistent @ k-string-input padding
  • Writer toolbar: active nodes are correctly handled #5751
  • Writer toolbar: paragraph node gets removed when editor doc doesn't support it
  • Select options with integer values work properly now #5013
  • Fixed reactivity in the fieldset component. This also fixes an issue with auto-filled inputs #5689
  • Fix pasting blocks when a required fieldset is not available #5769
  • Fix Panel::go() calls in dialog and drawer submit code.
  • Plugin asset CSS files no longer miss timestamps in the URL #5164 #148
  • Fixed option slot in the items table. The options column was always visible, no matter if the slot was set or not. #5792
  • Search now takes access permissions into account what types can be shown #5757
  • k-navigate: focusable elements are correctly detected for dynamic content
  • Fix styling glitches on k-tag
  • The thumb cached is only cleared when the focus point changed #5311
  • Toggle field preview: don’t open drawer when the toggle is clicked #5813
  • Fix random structure ids #5702
  • Fix outside click for blocks #5621
  • Fix multiselect for nested blocks #5626
  • Fix Search view [#5833](https://...
Read more

3.9.7

06 Oct 10:48
8bb22df
Compare
Choose a tag to compare

🎉 Features

Adds support for whoops.blocklist config option to mask variables that are displayed when showing errors with Whoops. (thanks to @HYR)

return [
  // mask everything
  'whoops' => [
    'blocklist' => [
      '_COOKIE' => array_keys($_COOKIE),
      '_SERVER' => array_keys($_SERVER),
      '_ENV' => array_keys($_ENV),
    ]
  ]
];
return [
  // mask specific things
  'whoops' => [
    'blocklist' => [
      '_SERVER' => [
        'AWS_ACCESS_KEY_ID',
        'AWS_SECRET_ACCESS_KEY',
      ],
    ]
  ]
];

✨ Enhancements

  • Prevent kirby as user id #5514
  • Supports passing callable to Database\Query::fetch() #5651 (thanks @adamkiss)
  • Str::pool(): New base32 and base32hex pools (useful when a Str::random() needs to be printed in a human-readable way without easy to confuse 0/O and 1/I). #5715

🐛 Bug fixes

  • Use k-text-input for text field if no specific component exists for its type #5369
  • Invalid cached UUIDs are now corrected when index lookup succeeds #5430
  • Allow plugin assets with the .mjs extension #5473
  • Fixed $page->isUnlisted() which falsely would return true for drafts #5506
  • List field: fix disabled writer #5526
  • Fix $collection->group() for case-sensitive #5631
  • Calling a single database row when using a fetch closure works now #5640 (thanks @adamkiss)
  • Fix layout dropdown in structure field #5267

📚 Docs

  • Add note on dist files to contributing guide #5480

4.0.0-beta.2

28 Sep 14:57
ee62955
Compare
Choose a tag to compare
4.0.0-beta.2 Pre-release
Pre-release

🎉 Features

  • QR code generation built into Kirby: New Kirby\Image\QrCode class, qr() helper function and >toQrCode() field method #5666
    $qr = new Kirby\Image\QrCode('https://getkirby.com');
    $qr->toSvg(color: '#ff00ff');
    $qr->toDataUri(color: '#ff00ff');
    $qr->write(file: 'qr.png', size: 750, back: '#efefef')
    
    qr('https://getkirby.com')->toSvg();
    $page->myLinkField()->toQrCode()->toSvg();
  • New k-alpha-input and  k-hue-input #5693
  • New k-color-frame component to preview color swatches #5686
  • New k-coloroptions-input #5696 and k-colorname-input #5699
  • New k-search-input component #5705
  • New LazyValue class that can be used to resolve a value lazily. Collections and controllers use it to resolve many of Kirby's objects only when the collection/controller requests them, improving performance #5608

✨ Enhancements

  • k-tabs is now fully responsive #5583
  • k-pagination always can be navigated by keys (no extra prop needed anymore) #5578
  • ModelsSection: use Filter as label #5612
  • Text fields: new font: monospace option https://kirby.nolt.io/558
  • panel.css and panel.js config options now also support arrays with multiple entries as well as absolute URLs #5602
  • Responsive: show only text for language dropdown #5577
  • Notification: support custom icons #5601
  • Files, pages and users fields more consistent #5637
  • Blocks field: improve UI for no fieldsets #5679
  • k-calendar-input is now set up as a proper fieldset with legend and additional aria labels for improved accessibility. #5695
  • k-tag supports an image/icon frame #5686
  • Link field uses native k-tag image for preview #5686
  • Color field preview uses k-tag with k-color-frame in image slot #5686
  • Improved grids: Only break to single column at 30rem, not 40rem
  • Improved focus styles for links and the flag preview in tables
  • Improved text overflow behavior for links in tables
  • The color field now also translates valid CSS color names
  • Various table improvements
    • Better focus styles for the option and flag buttons in the table
    • Simplified CSS styles for the table
    • New --table CSS properties for more control
    • Better mobile responsiveness for tables with a scrollable container instead of hiding cells
    • Better disabled state with aria-disabled property
    • New disabled property for the k-options-dropdown component
    • More reliable margin rules for k-text
    • Full k-text style support for the k-html-field-preview component
    • The table rows are now the same height as inputs, boxes and items, which cleans up the design quite a bit
    • All field previews now use the --table-cell-padding property to control their padding, which leads to more reliable styling options
    • All table setup variants have examples in the lab
  • New selected prop for k-button to set the aria-selected attribute. #5698

🐛 Bug fixes

  • Color field: added backend validation #5570
  • Color field: support grad, rad and turn angels for hsl format #5589
  • Fix color field border radius #5655
  • Fixed dropdown positioning in RTL languages #5599
  • Fixed return type for create methods #5586
  • Creating listed pages no longer bypasses permissions #5365
  • Fix regression for automatic plugin assets #5620
  • Fixed problem deleting images in pages/files field #5623
  • Fixed overflow issue in grids #5633
  • Upload dialog: fix error overflow #5622
  • The file upload now creates files with the right extension if the format is converted #5593
  • Fixed reading invalid block types #5660
  • Blocks field: max option respected when pasting blocks #5673
  • Allow to use SVG fill attributes again #5668
  • Blocks can be pasted before the selected block via the “insert before” dialog #5678
  • $page->search() allows to provide a string with field names as $params again getkirby.com#2094
  • Fix collapsing block fields preview #5669
  • Fix sticky columns #5664
  • Fixed translation string for the blocks field
  • The link field shows up correctly if no options are defined
  • The current scroll position is now correctly restored when opening a dropdown. This will no longer cause the main view to scroll up when a dropdown is opened. #5691
  • k-calendar-input can now receive a regular iso date as value.
  • File preview: fixed thumb placement and sizing in Safari #5605 #5604 #5603
  • File view: fixed issues with the Panel menu when resizing in Safari #5606
  • k-bubbles-field-preview and all other previews that extend it now correctly display when there are no bubbles
  • k-color-field-preview correctly displays the pattern when no color is set
  • The sticky header in the table now uses the --header-sticky-offset to fix it's stickiness.
  • Various block fixes
    • Added default values for object props to avoid breaks
    • Fixed various inconsistencies in k-block-title styles
    • Better defaults and removed outdated props in k-block-figure
    • Fixed padding in the block header of the field block type component.

♻️ Refactored

  • k-pagination: removed unused align and dropdown props #5578
  • Clean up type hints for Str::short() #5688
  • k-color is now k-colorpicker-input #5685
  • k-coords is now k-coords-input #5685
  • Better reset for range inputs, stored in styles/rests/range.css
  • k-colorpicker-input now uses the new inputs
  • The basic choice styles have been moved to styles/reset/choice.css
  • k-time-field-preview now extends k-date-field-preview and improves time parsing and the default formatting
  • The fieldPreview mixin defines proper defaults for column and field
  • k-toggle-field-preview uses the low level k-toggle-input instead of k-input to avoid unnecessary markup
  • k-timeoptions-input replaces k-times. k-times is still available as deprecated alias. #5698
  • Date and Time fields use the new k-timeoptions-input #5698

☠️ Deprecated

  • <k-dropdown> was deprecated. Use <k-dropdown-content> as standalone instead.
  • k-calendar-input replaces k-calendark-calendar is still available but only as deprecated alias.

🚨 Breaking changes

  • k-pagination doesn't support setting custom labels/titles via nextLabel, prevLabel or pageLabel #5578
  • Removed deprecated DS constant. Use / instead. #5590
  • Panel\Assets::custom() now returns an array #5602
  • When impersonating the almighty kirby user, any permission check will succeed even if permission has been disabled for regular admins #5511
  • Renamed parameter of ::group() method of all collection classes to $caseInsensitive #5634
  • k-range is gone and replaced by k-alpha-range and k-hue-range
  • k-choice has been removed. Use k-choice-input instead
  • The unused theme prop has been removed from k-choice-input

🧹 Housekeeping

  • Uses lightningcss for Vite instead of postcss

4.0.0-beta.1

07 Sep 15:11
bc43ab0
Compare
Choose a tag to compare
4.0.0-beta.1 Pre-release
Pre-release

🎉 Features

  • Each Panel area can now define additional requests for simple data endpoints or actions #5531
  • New assets extension that allows plugins to specify assets from custom paths and with a wider range of extensions than previously supported #5557

✨ Enhancements

  • Async $helper.upload() JS #5487
  • Correct autofocus handling for blocks, layout, structure and picker fields #5524
  • $panel.upload() will now only start up to 20 uploads concurrently and adding additional uploads consecutively whenever a previous one finishes #5491
  • New design for the range field #5539
  • All minified panel assets now add .min to the filename. This will avoid auto-minification in Cloudflare and possibly other environments #5536
  • Page move dialog now disables all pages that are invalid new parents for the page #5531
  • The multiselect and tag dropdowns now offer more space to not cut off longer options #5533
  • New html prop for k-bubble, k-bubbles and k-bubbles-field-preview. #5493
  • Increase the font size for help text in sections and fields #5549
  • New translate icon #5565
  • Str::template() support single and double curly braces as start/end delimiters by default #5556
  • sortBy in structure fields works now #5567
  • More type hints #5559
  • Input CSS refactoring #5553
    • Simplified and cleaned up input CSS
    • Better configuration options for inputs through CSS variables
    • Increased font size to 16px on mobile #5395
  • Refactored k-text styles to cover more marks and general text styles for the writer and text blocks #5569

🐛 Bug fixes

  • Structure field: translate column label correctly #5485
  • Load container query polyfill only when needed #5505
  • Expose dialog and drawer mixins to plugins #5498
  • Fixed deleting user avatars #5496
  • Custom icons with 24x24 viewbox are supported now #5492
  • Link dialog: show expand toggle for pages with just drafts as children #5504
  • Fixed block field preview in fields and columns #5417
  • The header no longer disappears when a modal is being opened #5447
  • Following a link in drawer now closes the drawer again #5497
  • Fixes missing preview icons for users, pages and files in structure tables #5525
  • Sets the focus correctly when the structure field drawer is opened #5524
  • Firefox: long dialog’s top isn’t cut off anymore #5523
  • Select dropdowns now always have a white background and black text on Windows, which make them readable again everywhere #5522
  • When choosing to show only some nodes in the toolbar, the node selector is now correctly displayed again #5521
  • Fixed pages and files section error when search filtering a paginated section #5519
  • Writer toolbar in block drawer no longer jumps down on focus. #5501
  • The autofocus is now correctly set when the drawer in the object field opens. #5527
  • The multi select field does no longer show the create button, unless the accept option is setup to accept additional entries. #5533
  • Fixed nesting order of marks in the writer #5481
  • The page tree only shows listable pages #5546
  • Styling fix for the toolbar in the text block #5502
  • Page preview field: fixed escaping #4041
  • Removed unnecessary tabindex on main element #5548
  • Label for the menu toggle and the menu element #5548
  • Add type=button to the header button #5548
  • Turn up contrast for the edit icon in the header #5548
  • Use a div instead of a meaningless fieldset without legend in k-fieldset #5548
  • k-collection and k-items: options slot gets properly exposed also for table layout #5561
  • Fixed link field when UUIDs are switched off #5489
  • Fixed overflow in breadcrumbs
  • Fixed broken window.panel.$vue reference for kirbyup
  • Fixed contrast for the info text in stats
  • Fixed progress bar style in Firefox
  • Fixed option issue in uploader
  • Fixed dropzone style

♻️ Refactored

  • Reduce JS forEach usage #5494
  • Various fixes for PHP types #5495
  • Improve main view bottom padding #5542

☠️ Deprecated

  • Custom icons using a 16x16 viewbox have been deprecated. In an
    upcoming version, Kirby will only support custom icons with a 24x24
    viewbox by default. If you want to continue using icons with a different viewport, please wrap them in an <svg> element with the corresponding viewBox attribute.

🚨 Breaking changes

  • Files in a plugin's assets directory are now always assumed to be public, independent of their file extension. If your plugin needs to store other files in the assets directory, please use the new assets extension to explicitly define the public assets. #5557

🧹 Housekeeping

  • Whoops is now generally disabled during PHPUnit test runs to reduce memory usage during tests #5554

4.0.0-alpha.7

17 Aug 12:06
29889f8
Compare
Choose a tag to compare
4.0.0-alpha.7 Pre-release
Pre-release

🎉 Features

  • Load Panel area views dynamically with new when prop #5425

✨ Enhancements

  • Panel: New icon set based on https://remixicon.com/
    Screenshot 2023-08-11 at 00 01 40
  • New icons megaphonesparkling
  • Info field and section: new icon option

🐛 Bug fixes

  • Fix sort loop in structure field #5448
  • Fix link field with options #5468
  • Fix unpublishing multiple children #5470
  • Custom marks and nodes receive the right editor instance #5457
  • Upload dialog: preview for other file types than images #5461

☠️ Deprecated

  • Deprecated circle-outline icon, use circle instead
  • Deprecated heart-outline icon, use heart instead
  • Deprecated star-outline icon, use star instead

🚨 Breaking changes

  • Removed road-sign icon
  • circle icon is now named circle-filled
  • heart icon is now named heart-filled
  • star icon is now named star-filled

🧹 Housekeeping

  • More JS unit tests #5462

3.8.4.2

10 Aug 19:25
844cc00
Compare
Choose a tag to compare

🎉 Features

The Content-Security-Policy: frame-ancestors header sent by the Panel (introduced in 3.8.4.1) can now be customized with an option if needed:

return [
  'panel' => [
    // allow frame embedding from the same domain
    'frameAncestors' => true,

    // allow frame embedding from the same *and* from the specified domains
    'frameAncestors' => ['*.example.com', 'https://example.com'],

    // allow frame embedding on any domain (not recommended)
    'frameAncestors' => '*',
  ]
];

3.7.5.3

10 Aug 19:25
9d9f0ff
Compare
Choose a tag to compare

🎉 Features

The Content-Security-Policy: frame-ancestors header sent by the Panel (introduced in 3.7.5.2) can now be customized with an option if needed:

return [
  'panel' => [
    // allow frame embedding from the same domain
    'frameAncestors' => true,

    // allow frame embedding from the same *and* from the specified domains
    'frameAncestors' => ['*.example.com', 'https://example.com'],

    // allow frame embedding on any domain (not recommended)
    'frameAncestors' => '*',
  ]
];

3.6.6.4

10 Aug 19:24
515ffcc
Compare
Choose a tag to compare

🎉 Features

The Content-Security-Policy: frame-ancestors header sent by the Panel (introduced in 3.6.6.3) can now be customized with an option if needed:

return [
  'panel' => [
    // allow frame embedding from the same domain
    'frameAncestors' => true,

    // allow frame embedding from the same *and* from the specified domains
    'frameAncestors' => ['*.example.com', 'https://example.com'],

    // allow frame embedding on any domain (not recommended)
    'frameAncestors' => '*',
  ]
];