Allow Hugging Face Space embedding

election_assistant/web.py

@@ -73,7 +73,6 @@ LOCALE_COUNTRY_HINTS = {
 SECURITY_HEADERS = [
     ("Referrer-Policy", "no-referrer"),
     ("X-Content-Type-Options", "nosniff"),
-    ("X-Frame-Options", "DENY"),
     ("Permissions-Policy", "geolocation=(), microphone=(), camera=()"),
     (
         "Content-Security-Policy",
@@ -86,7 +85,7 @@ SECURITY_HEADERS = [
         "object-src 'none'; "
         "base-uri 'self'; "
         "form-action 'self'; "
-        "frame-ancestors 'none'",
+        "frame-ancestors 'self' https://huggingface.co https://*.huggingface.co",
     ),
 ]
 

tests/test_python_app.py

@@ -358,8 +358,11 @@ class PythonAppSmokeTests(unittest.TestCase):
         header_map = dict(status_headers["headers"])
         self.assertEqual(header_map["X-Content-Type-Options"], "nosniff")
         self.assertEqual(header_map["Referrer-Policy"], "no-referrer")
-        self.assertEqual(header_map["X-Frame-Options"], "DENY")
-        self.assertIn("frame-ancestors 'none'", header_map["Content-Security-Policy"])
+        self.assertNotIn("X-Frame-Options", header_map)
+        self.assertIn(
+            "frame-ancestors 'self' https://huggingface.co https://*.huggingface.co",
+            header_map["Content-Security-Policy"],
+        )
         self.assertIn("HttpOnly", cookie)
         self.assertIn("SameSite=Lax", cookie)