From c9388add9df7c4dd17fc22a1de96b75197f06d77 Mon Sep 17 00:00:00 2001
From: David Mehren <git@herrmehren.de>
Date: Thu, 12 Aug 2021 22:35:21 +0200
Subject: [PATCH] Add FAQ entry about iframing HedgeDoc

Signed-off-by: David Mehren <git@herrmehren.de>
---
 docs/content/faq.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/content/faq.md b/docs/content/faq.md
index 5736f7f03..5c0c0aacf 100644
--- a/docs/content/faq.md
+++ b/docs/content/faq.md
@@ -34,3 +34,14 @@ header (which might be insecure) or include the URI of your HedgeDoc instance in
 See [Mozillas docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) for more details.  
 Also note that the `X-Frame-Options` header [is being obsoleted](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
 by the `frame-ancestors` statement in the `Content-Security-Policy` header.
+
+## Why can I not embed a HedgeDoc note in other pages using iframes?
+Allowing your HedgeDoc instance to be embedded in other pages increases the risk of [clickjacking](https://en.wikipedia.org/wiki/Clickjacking),
+[XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) and other attacks.
+Therefore, **we recommend to not enable** this option.  
+If you still want to allow embedding via iframe, ensure that:
+
+- Your HedgeDoc instance is served via HTTPS
+- `cookiePolicy` / `CMD_COOKIE_POLICY` is set to `none` (Otherwise you will get a `AUTH failed: No cookie transmitted` error.)
+- `csp.allowFraming` / `CMD_CSP_ALLOW_FRAMING` is set to `true`
+