feat: allow iframing urls on the same domain as the deployment

Emyrk · Emyrk · commit edb2314ad3ff · 2025-05-29T09:15:58.000-05:00
Used for AI tasks
diff --git a/coderd/httpmw/csp.go b/coderd/httpmw/csp.go
@@ -88,7 +88,7 @@ func CSPHeaders(telemetry bool, websocketHosts func() []string, staticAdditions
 				CSPDirectiveMediaSrc:   {"'self'"},
 				// Report all violations back to the server to log
 				CSPDirectiveReportURI: {"/api/v2/csp/reports"},
-				CSPFrameAncestors:     {"'none'"},
+				CSPFrameAncestors:     {"'self'"},
 
 				// Only scripts can manipulate the dom. This prevents someone from
 				// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.
