frame-src csp self (#179)

equinor · Jan 22, 2020 · 592f2a2 · 592f2a2
1 parent 1ccfcb0
commit 592f2a2
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/webviz_config/_theme_class.py b/webviz_config/_theme_class.py
@@ -23,8 +23,8 @@ def __init__(self, theme_name):
             "navigate-to": "'self'",
             "base-uri": "'self'",
             "form-action": "'self'",
-            "frame-ancestors": "'none'",
-            "child-src": "'none'",
+            "frame-ancestors": "'self'",  # [3]
+            "frame-src": "'self'",  # [3]
             "object-src": "'self'",
             "plugin-types": "application/pdf",
         }
@@ -34,6 +34,9 @@ def __init__(self, theme_name):
             [1] unsafe-inline for style still needed by plotly
                 (https://github.com/plotly/plotly.js/issues/2355)
             [2] https://github.com/plotly/dash/issues/630
+            [3] We use 'self' instead of 'none' due to what looks like a Chromium bug,
+                where e.g. pdf's included using <embed> is not rendered. Might be
+                related to https://bugs.chromium.org/p/chromium/issues/detail?id=1002610
         """
 
         self._feature_policy = {