spouliot/PowderCoatingLogix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix iframe blocking: SAMEORIGIN + frame-ancestors 'self'

Browse Source 
X-Frame-Options: DENY blocked all iframe embeds including our own QR label
modal. Changed to SAMEORIGIN and added frame-ancestors 'self' to CSP so
same-origin iframes (Label page) load correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Pouliot
2026-05-23 10:02:23 -04:00
parent b9cd693421
commit edf56c1164
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/PowderCoating.Web/Program.cs
+4 -3
View File
@@ -671,8 +671,8 @@ System.Globalization.CultureInfo.DefaultThreadCurrentUICulture = cultureInfo;
// SECURITY: Add security headers middleware
app.Use(async (context, next) =>
{
// Prevent clickjacking
context.Response.Headers.Append("X-Frame-Options", "DENY");
// Prevent clickjacking — SAMEORIGIN so our own iframe embeds (QR labels, etc.) still work
context.Response.Headers.Append("X-Frame-Options", "SAMEORIGIN");
// Prevent MIME type sniffing
context.Response.Headers.Append("X-Content-Type-Options", "nosniff");
@@ -699,7 +699,8 @@ app.Use(async (context, next) =>
"font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; " +
"img-src 'self' data: https:; " +
$"connect-src {cspConnectSrc}; " +
"frame-src 'self' https://js.stripe.com https://hooks.stripe.com");
"frame-src 'self' https://js.stripe.com https://hooks.stripe.com; " +
"frame-ancestors 'self'");
// Referrer Policy - control referrer information
context.Response.Headers.Append("Referrer-Policy", "strict-origin-when-cross-origin");