From 0909e63209c5cd6165ad62db8a73d1ac9c697f33 Mon Sep 17 00:00:00 2001 From: Arun S Date: Thu, 19 Dec 2024 19:10:05 +0530 Subject: [PATCH] [Bugfix] Added empty vlue to frameoptions in redash and frame-ancestors --- redash/settings/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py index ada2b747ba..dfc6bba0e9 100644 --- a/redash/settings/__init__.py +++ b/redash/settings/__init__.py @@ -97,7 +97,7 @@ # on the specific deployment. # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options # for more information. -FRAME_OPTIONS = os.environ.get("REDASH_FRAME_OPTIONS", "deny") +FRAME_OPTIONS = os.environ.get("REDASH_FRAME_OPTIONS", "") FRAME_OPTIONS_ALLOW_FROM = os.environ.get("REDASH_FRAME_OPTIONS_ALLOW_FROM", "") # Whether and how to send Strict-Transport-Security response headers. @@ -117,7 +117,7 @@ # for more information. E.g.: CONTENT_SECURITY_POLICY = os.environ.get( "REDASH_CONTENT_SECURITY_POLICY", - "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-src redash.io *.aot-technologies.com;", + "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none';frame-ancestors 'self' *.aot-technologies.com; frame-src redash.io *.aot-technologies.com;", ) CONTENT_SECURITY_POLICY_REPORT_URI = os.environ.get("REDASH_CONTENT_SECURITY_POLICY_REPORT_URI", "") CONTENT_SECURITY_POLICY_REPORT_ONLY = parse_boolean(