💩(backend) headers to allow trusted iframe origin

qbey · qbey · commit 667b8f99e87a · 2025-05-28T16:26:56.000+02:00
This is a test to allow external site to display docs in an iframe.
diff --git a/src/backend/core/middleware.py b/src/backend/core/middleware.py
@@ -0,0 +1,10 @@
+from django.utils.deprecation import MiddlewareMixin
+
+class CSPFrameAncestorsMiddleware(MiddlewareMixin):
+
+    def process_response(self, request, response):
+        response.headers['Content-Security-Policy'] = (
+            response.headers.get('Content-Security-Policy', '')
+            + "frame-ancestors 'self' http://localhost:8075;"
+        )
+        return response
diff --git a/src/backend/impress/settings.py b/src/backend/impress/settings.py
@@ -282,13 +282,15 @@ class Base(Configuration):
         "django.contrib.sessions.middleware.SessionMiddleware",
         "django.middleware.locale.LocaleMiddleware",
         "django.middleware.clickjacking.XFrameOptionsMiddleware",
+        "core.middleware.CSPFrameAncestorsMiddleware",
         "corsheaders.middleware.CorsMiddleware",
         "django.middleware.common.CommonMiddleware",
         "django.middleware.csrf.CsrfViewMiddleware",
         "django.contrib.auth.middleware.AuthenticationMiddleware",
         "django.contrib.messages.middleware.MessageMiddleware",
         "dockerflow.django.middleware.DockerflowMiddleware",
     ]
+    X_FRAME_OPTIONS = "SAMEORIGIN"
 
     AUTHENTICATION_BACKENDS = [
         "django.contrib.auth.backends.ModelBackend",
