Hugging Face's logo

Spaces:
asons
/
OLD
Paused

App Files Community
OLD / patches /hf-spaces-allow-iframe-embedding.patch
asons's picture
asons
Upload 91 files
1ad21cb verified
raw
history blame contribute delete
1.29 kB
diff --git a/src/gateway/control-ui-csp.ts b/src/gateway/control-ui-csp.ts
index 8a7b56f..62b0dfd 100644
--- a/src/gateway/control-ui-csp.ts
+++ b/src/gateway/control-ui-csp.ts
@@ -7,8 +7,8 @@ export function buildControlUiCspHeader(): string {
"default-src 'self'",
"base-uri 'none'",
"object-src 'none'",
- "frame-ancestors 'none'",
+ "frame-ancestors 'self' https://huggingface.co https://*.hf.space",
"script-src 'self'",
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
"img-src 'self' data: https:",
"font-src 'self' https://fonts.gstatic.com",
diff --git a/src/gateway/control-ui.ts b/src/gateway/control-ui.ts
index ed7b733..7cc0ab9 100644
--- a/src/gateway/control-ui.ts
+++ b/src/gateway/control-ui.ts
@@ -98,7 +98,8 @@ type ControlUiAvatarMeta = {
};
function applyControlUiSecurityHeaders(res: ServerResponse) {
- res.setHeader("X-Frame-Options", "DENY");
+ // Allow embedding in HF Spaces iframes (X-Frame-Options removed, CSP frame-ancestors used instead)
+ // res.setHeader("X-Frame-Options", "DENY");
res.setHeader("Content-Security-Policy", buildControlUiCspHeader());
res.setHeader("X-Content-Type-Options", "nosniff");
res.setHeader("Referrer-Policy", "no-referrer");