| |
| |
| |
| |
| @@ -7,8 +7,8 @@ export function buildControlUiCspHeader(): string { |
| "default-src 'self'", |
| "base-uri 'none'", |
| "object-src 'none'", |
| - "frame-ancestors 'none'", |
| + "frame-ancestors 'self' https://huggingface.co https://*.hf.space", |
| "script-src 'self'", |
| "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com", |
| "img-src 'self' data: https:", |
| "font-src 'self' https://fonts.gstatic.com", |
| |
| |
| |
| |
| @@ -98,7 +98,8 @@ type ControlUiAvatarMeta = { |
| }; |
| |
| function applyControlUiSecurityHeaders(res: ServerResponse) { |
| - res.setHeader("X-Frame-Options", "DENY"); |
| + // Allow embedding in HF Spaces iframes (X-Frame-Options removed, CSP frame-ancestors used instead) |
| + // res.setHeader("X-Frame-Options", "DENY"); |
| res.setHeader("Content-Security-Policy", buildControlUiCspHeader()); |
| res.setHeader("X-Content-Type-Options", "nosniff"); |
| res.setHeader("Referrer-Policy", "no-referrer"); |
|
|
