also add frame-src

Emyrk · Emyrk · commit 95f3b617ada2 · 2025-05-29T09:50:22.000-05:00
diff --git a/coderd/httpmw/csp.go b/coderd/httpmw/csp.go
@@ -39,6 +39,7 @@ const (
 	CSPDirectiveFormAction  CSPFetchDirective = "form-action"
 	CSPDirectiveMediaSrc    CSPFetchDirective = "media-src"
 	CSPFrameAncestors       CSPFetchDirective = "frame-ancestors"
+	CSPFrameSource          CSPFetchDirective = "frame-src"
 	CSPDirectiveWorkerSrc   CSPFetchDirective = "worker-src"
 )
 
@@ -100,6 +101,7 @@ func CSPHeaders(experiments codersdk.Experiments, telemetry bool, websocketHosts
 				// AI tasks use iframe embeds of local apps.
 				// TODO: Handle region domains too, not just path based apps
 				cspSrcs.Append(CSPFrameAncestors, `'self'`)
+				cspSrcs.Append(CSPFrameSource, `'self'`)
 			} else {
 				cspSrcs.Append(CSPFrameAncestors, `'none'`)
 			}

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,7 @@ const (`
`39`	`39`	`CSPDirectiveFormAction CSPFetchDirective = "form-action"`
`40`	`40`	`CSPDirectiveMediaSrc CSPFetchDirective = "media-src"`
`41`	`41`	`CSPFrameAncestors CSPFetchDirective = "frame-ancestors"`
	`42`	`+ CSPFrameSource CSPFetchDirective = "frame-src"`
`42`	`43`	`CSPDirectiveWorkerSrc CSPFetchDirective = "worker-src"`
`43`	`44`	`)`
`44`	`45`
`@@ -100,6 +101,7 @@ func CSPHeaders(experiments codersdk.Experiments, telemetry bool, websocketHosts`
`100`	`101`	`// AI tasks use iframe embeds of local apps.`
`101`	`102`	`// TODO: Handle region domains too, not just path based apps`
`102`	`103`	cspSrcs.Append(CSPFrameAncestors, `'self'`)
	`104`	+ cspSrcs.Append(CSPFrameSource, `'self'`)
`103`	`105`	`} else {`
`104`	`106`	cspSrcs.Append(CSPFrameAncestors, `'none'`)
`105`	`107`	`}`