Skip to content

Fixes iframe embedding blocked by DENY default #1345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 14 commits into from
Closed

Fixes iframe embedding blocked by DENY default #1345

Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
56ab705
Fixes iframe embedding blocked by DENY default
shoummu1 Oct 27, 2025
7849ea7
updated tests
shoummu1 Oct 27, 2025
60c9df0
update test scripts
shoummu1 Oct 27, 2025
d44a5c7
Revert "update test scripts"
shoummu1 Oct 28, 2025
509b5bf
Revert "updated tests"
shoummu1 Oct 28, 2025
8ac18bd
Revert "Fixes iframe embedding blocked by DENY default"
shoummu1 Oct 28, 2025
02de917
handle empty X_FRAME_OPTIONS override
shoummu1 Oct 28, 2025
b860af6
Revert "updated tests"
shoummu1 Oct 28, 2025
6317f69
Revert "Fixes iframe embedding blocked by DENY default"
shoummu1 Oct 28, 2025
2c9b0f2
handle empty X_FRAME_OPTIONS override
shoummu1 Oct 28, 2025
e08bb46
Merge branch 'fix/iframe-options-default' of https://github.com/IBM/m…
shoummu1 Oct 28, 2025
0fcfe96
Revert "Fixes iframe embedding blocked by DENY default"
shoummu1 Oct 28, 2025
6f18ad2
handle empty X_FRAME_OPTIONS override
shoummu1 Oct 28, 2025
2aaa732
Merge branch 'fix/iframe-options-default' of https://github.com/IBM/m…
shoummu1 Oct 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 23 additions & 15 deletions mcpgateway/middleware/security_headers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,8 +255,12 @@ async def dispatch(self, request: Request, call_next) -> Response:
if settings.x_content_type_options_enabled:
response.headers["X-Content-Type-Options"] = "nosniff"

if settings.x_frame_options:
response.headers["X-Frame-Options"] = settings.x_frame_options
# Handle X-Frame-Options: None = don't set header, empty string = allow all, other values = set header
if settings.x_frame_options is not None:
if settings.x_frame_options: # Non-empty string
response.headers["X-Frame-Options"] = settings.x_frame_options
# Empty string means user wants to disable the header (allow all frames)
# Don't set the header in this case

if settings.x_xss_protection_enabled:
response.headers["X-XSS-Protection"] = "0" # Modern browsers use CSP instead
Expand All @@ -269,21 +273,25 @@ async def dispatch(self, request: Request, call_next) -> Response:
# Content Security Policy
# This CSP is designed to work with the Admin UI while providing security
# Dynamically set frame-ancestors based on X_FRAME_OPTIONS setting
x_frame = str(settings.x_frame_options)
x_frame_upper = x_frame.upper()

if x_frame_upper == "DENY":
frame_ancestors = "'none'"
elif x_frame_upper == "SAMEORIGIN":
if settings.x_frame_options is None:
# No X-Frame-Options configured, default to self
frame_ancestors = "'self'"
elif x_frame_upper.startswith("ALLOW-FROM"):
allowed_uri = x_frame.split(" ", 1)[1] if " " in x_frame else "'none'"
frame_ancestors = allowed_uri
elif not x_frame: # Empty string means allow all
frame_ancestors = "*"
else:
# Default to none for unknown values
frame_ancestors = "'none'"
x_frame = str(settings.x_frame_options)
x_frame_upper = x_frame.upper()

if x_frame_upper == "DENY":
frame_ancestors = "'none'"
elif x_frame_upper == "SAMEORIGIN":
frame_ancestors = "'self'"
elif x_frame_upper.startswith("ALLOW-FROM"):
allowed_uri = x_frame.split(" ", 1)[1] if " " in x_frame else "'none'"
frame_ancestors = allowed_uri
elif not x_frame: # Empty string means allow all
frame_ancestors = "*"
else:
# Default to self for unknown values (matches SAMEORIGIN default)
frame_ancestors = "'self'"

csp_directives = [
"default-src 'self'",
Expand Down
Loading