Allow Amul Pashudhan partner origins to embed the app via iframe#98
Closed
KDwevedi wants to merge 1 commit into
Closed
Allow Amul Pashudhan partner origins to embed the app via iframe#98KDwevedi wants to merge 1 commit into
KDwevedi wants to merge 1 commit into
Conversation
The Pashudhan app (Prompt Dairy Tech) loads the chat UI returned by /api/auth/webview-url inside an iframe/webview from www.amulpashudhan.com and ahsupportqaauth.orbitron.in. The Barracuda WaaS in front of amulai.in injects X-FRAME-OPTIONS: SAMEORIGIN, which blocks the framed load (net::ERR_BLOCKED_BY_RESPONSE). Per the CSP spec, a frame-ancestors directive supersedes X-Frame-Options in browsers, so extending the allowlist here neutralizes the WAF header without a WAF policy change. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Collaborator
Author
|
Closing — fix will be applied at the gateway/ingress layer instead of the app container. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Amul Pashudhan app (Prompt Dairy Tech) embeds the chat UI returned by
GET /api/auth/webview-urlin an iframe/webview from:http(s)://www.amulpashudhan.com/https://ahsupportqaauth.orbitron.in/The framed load fails with
net::ERR_BLOCKED_BY_RESPONSE(reported in the "Please do needful..." email thread, open since 2026-05-28).Root cause
Nothing in our stack sets an anti-framing header — the OAN-UI container nginx, the dev nginx-gateway, and prod ingress-nginx are all clean. The Barracuda WaaS cloud WAF fronting
amulai.in/dev.amulai.in(CNAME →app923823.prod.cudawaas.com) injectsX-FRAME-OPTIONS: SAMEORIGINon every response, which blocks all cross-origin framing.Fix
Extend the existing CSP
frame-ancestorsdirective innginx.confto allowlist the two partner origins. Per the CSP spec, whenframe-ancestorsis present browsers ignoreX-Frame-Options, so this neutralizes the WAF-injected header without a Barracuda policy change. Bothhttp://andhttps://schemes are listed for amulpashudhan.com since the partner's embed page scheme is unconfirmed (host-sources without a scheme only match https when the resource is served over https).Risk / validation
'self'and the two partners.curl -sI https://dev.amulai.in/(CSP header must survive), then have Prompt Dairy retest fromahsupportqaauth.orbitron.inbefore promoting.amul-prodcarries the bare nginx.conf (no CSP block), so a straight cherry-pick will conflict — prod should get a minimaladd_header Content-Security-Policy "frame-ancestors ..." always;commit rather than inheriting main's full CSP.Pre-commit lint bypassed: repo-wide eslint fails on pre-existing unused-var errors in
src/hooks/store/chat/index.tsfrom the weather-advisory merge — unrelated to this nginx-only change.🤖 Generated with Claude Code