Embed Issues: “Same Origin” for Admin Folder

(Posting here because I can’t get my post to publish on the H5p Support forum.)

I’m reaching out for some clarification regarding the embed code generated by H5p through the wordpress plugin, specifically in relation to the X-Frame-Options header.

The embed link for my h5p content is being generated through the wp-admin folder. (https://website.com/wp-admin/admin-ajax.php?action=h5p_embed&id=438) However, I’ve noticed that the X-Frame-Options header for the wp-admin folder is set to ‘SAMEORIGIN’, while the rest of my website does not have the same restriction. This prevents me from embedding any content off-site.

Considering that the wp-admin folder is for administrative functionality, I’m curious as to why the embed code is being created through this particular folder. It seems counterintuitive to have the link go through that folder, and pretty much guarantees that users aren’t able to embed off-site without altering with the security of that folder.

Is there an alternative approach to generating the embed code, bypassing the wp-admin folder? Or can you recommend a solution to enable embedding to external domains without compromising the security of the administrative area?

I have the ability to adjust the X-Frame-Options header for my website, but I don’t have the same control over the wp-admin folder specifically. My understanding is that this setting is dictated by WordPress and not by my server, but I am unable to change it.