From edf56c116420de6554a1d26740e1f476496838a3 Mon Sep 17 00:00:00 2001
From: Scott Pouliot <spouliot@scppowdercoating.com>
Date: Sat, 23 May 2026 10:02:23 -0400
Subject: [PATCH] Fix iframe blocking: SAMEORIGIN + frame-ancestors 'self'

X-Frame-Options: DENY blocked all iframe embeds including our own QR label
modal. Changed to SAMEORIGIN and added frame-ancestors 'self' to CSP so
same-origin iframes (Label page) load correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/PowderCoating.Web/Program.cs | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/PowderCoating.Web/Program.cs b/src/PowderCoating.Web/Program.cs
index 1d38d5e..15e8dcc 100644
--- a/src/PowderCoating.Web/Program.cs
+++ b/src/PowderCoating.Web/Program.cs
@@ -671,8 +671,8 @@ System.Globalization.CultureInfo.DefaultThreadCurrentUICulture = cultureInfo;
 // SECURITY: Add security headers middleware
 app.Use(async (context, next) =>
 {
-    // Prevent clickjacking
-    context.Response.Headers.Append("X-Frame-Options", "DENY");
+    // Prevent clickjacking — SAMEORIGIN so our own iframe embeds (QR labels, etc.) still work
+    context.Response.Headers.Append("X-Frame-Options", "SAMEORIGIN");
 
     // Prevent MIME type sniffing
     context.Response.Headers.Append("X-Content-Type-Options", "nosniff");
@@ -699,7 +699,8 @@ app.Use(async (context, next) =>
         "font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; " +
         "img-src 'self' data: https:; " +
         $"connect-src {cspConnectSrc}; " +
-        "frame-src 'self' https://js.stripe.com https://hooks.stripe.com");
+        "frame-src 'self' https://js.stripe.com https://hooks.stripe.com; " +
+        "frame-ancestors 'self'");
 
     // Referrer Policy - control referrer information
     context.Response.Headers.Append("Referrer-Policy", "strict-origin-when-cross-origin");