mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
6b2550ff49
* fix(csp): allow cross-subdomain framing and add finance to frame-src frame-ancestors 'self' blocked tech/finance variants from rendering inside the Pro landing page iframe. Widen to *.worldmonitor.app. Also adds missing finance.worldmonitor.app to frame-src. Closes #1322 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(csp): remove conflicting X-Frame-Options and tighten frame-ancestors X-Frame-Options: SAMEORIGIN contradicts the new frame-ancestors directive that allows cross-subdomain framing. Modern browsers prioritize frame-ancestors over X-Frame-Options, but sending both is contradictory and gets flagged by security scanners. Remove X-Frame-Options entirely. Also replace wildcard *.worldmonitor.app with explicit subdomain list to limit the framing scope to known variants only. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Elie Habib <elie.habib@gmail.com>