From 6ba20299f4715e49e33a5fdeb8a419983c7bc0f3 Mon Sep 17 00:00:00 2001
From: Nisarg Jhaveri <nisargjhaveri@gmail.com>
Date: Sun, 20 Oct 2024 21:50:49 +0530
Subject: [PATCH] Remove frame-ancestors CSP to allow embedding via iframe

---
 res/_headers | 5 +----
 server.js    | 2 --
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/res/_headers b/res/_headers
index 6bf55d57fd..4b2b0ef18c 100644
--- a/res/_headers
+++ b/res/_headers
@@ -7,9 +7,6 @@
   # Protection for versions that do not support CSP yet.
   X-XSS-Protection: 1; mode=block
 
-  # Do not allow being embedded in a frame.
-  X-Frame-Options: SAMEORIGIN
-
   # Do not give the referrer for external navigations.
   Referrer-Policy: same-origin
 
@@ -25,7 +22,7 @@
   # 7. `frame-ancestors` is the same purpose as `X-Frame-Options` above.
   # 8. `form-action`prevents forms, we don't need this.`
   # 9. `frame-src` allows the embedding of YouTube videos in the docs.
-  Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src http: https: data:; object-src 'none'; connect-src *; frame-ancestors 'self'; form-action 'none'; frame-src www.youtube-nocookie.com
+  Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src http: https: data:; object-src 'none'; connect-src *; form-action 'none'; frame-src www.youtube-nocookie.com
 
 # Set the correct MIME type for WebAssembly modules.
 /*.wasm
diff --git a/server.js b/server.js
index 8fd72da838..e46223abe3 100644
--- a/server.js
+++ b/server.js
@@ -47,7 +47,6 @@ const serverConfig = {
     // /!\ Don't forget to keep it sync-ed with the headers here /!\
     'X-Content-Type-Options': 'nosniff',
     'X-XSS-Protection': '1; mode=block',
-    'X-Frame-Options': 'SAMEORIGIN',
     'Referrer-Policy': 'same-origin',
     'Content-Security-Policy': oneLine`
       default-src 'self';
@@ -59,7 +58,6 @@ const serverConfig = {
       img-src http: https: data:;
       object-src 'none';
       connect-src *;
-      frame-ancestors 'self';
       form-action 'none'
     `,
   },