From 81361a778acf5e40a624ad227c289c3e3dabdd5d Mon Sep 17 00:00:00 2001 From: KDwevedi Date: Fri, 12 Jun 2026 12:27:01 +0530 Subject: [PATCH] Allow Amul Pashudhan partner origins to embed the app via iframe The Pashudhan app (Prompt Dairy Tech) loads the chat UI returned by /api/auth/webview-url inside an iframe/webview from www.amulpashudhan.com and ahsupportqaauth.orbitron.in. The Barracuda WaaS in front of amulai.in injects X-FRAME-OPTIONS: SAMEORIGIN, which blocks the framed load (net::ERR_BLOCKED_BY_RESPONSE). Per the CSP spec, a frame-ancestors directive supersedes X-Frame-Options in browsers, so extending the allowlist here neutralizes the WAF header without a WAF policy change. Co-Authored-By: Claude Fable 5 --- nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.conf b/nginx.conf index b66ad79..ce3be0b 100644 --- a/nginx.conf +++ b/nginx.conf @@ -10,7 +10,7 @@ server { add_header Permissions-Policy "microphone=(self \"https://stagingchatbot.pmkisan.gov.in\")" always; # Content Security Policy for app assets and trusted external font sources - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data: blob: https:; connect-src 'self' https: wss:; media-src 'self' data: blob: https:; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data: blob: https:; connect-src 'self' https: wss:; media-src 'self' data: blob: https:; object-src 'none'; base-uri 'self'; frame-ancestors 'self' https://www.amulpashudhan.com http://www.amulpashudhan.com https://ahsupportqaauth.orbitron.in;" always; } # redirect server error pages to the static page /50x.html