fix: Add frame-src to CSP to allow Swagger UI iframe

- Add frame-src directive to CSP_POLICY and CSP_POLICY_DEV in csp.ts - Add frame-src to Vite dev server CSP headers - Allows loading Swagger UI iframe from backend (localhost:8080) - Fixes Content-Security-Policy violation blocking Swagger documentation
2026-01-18 14:03:02 +01:00 · 2026-01-18 14:03:02 +01:00 · beb4d25bbf
commit beb4d25bbf
parent 5d1b22e5ce
2 changed files with 3 additions and 0 deletions
--- a/apps/web/src/utils/csp.ts
+++ b/apps/web/src/utils/csp.ts
@ -53,6 +53,7 @@ export const CSP_POLICY = {
  'img-src': ["'self'", 'data:', 'https:', 'blob:'],
  'connect-src': ["'self'", 'ws:', 'wss:', 'http:', 'https:'],
  'font-src': ["'self'", 'data:', 'https://fonts.gstatic.com'],
+  'frame-src': ["'self'", 'http://localhost:8080', 'https://localhost:8080'],
  'object-src': ["'none'"],
  'base-uri': ["'self'"],
  'form-action': ["'self'"],
@ -129,6 +130,7 @@ export const CSP_POLICY_DEV = {
  'img-src': ["'self'", 'data:', 'https:', 'blob:'],
  'connect-src': ["'self'", 'ws:', 'wss:', 'http:', 'https:'],
  'font-src': ["'self'", 'data:', 'https:'],
+  'frame-src': ["'self'", 'http://localhost:8080', 'https://localhost:8080'],
  'object-src': ["'none'"],
  'base-uri': ["'self'"],
  'form-action': ["'self'"],
--- a/apps/web/vite.config.ts
+++ b/apps/web/vite.config.ts
@ -196,6 +196,7 @@ export default defineConfig(({ mode }) => {
            "worker-src 'self' blob:",
            "img-src 'self' data: https: blob:",
            "connect-src 'self' ws: wss: http: https:",
+            "frame-src 'self' http://localhost:8080 https://localhost:8080",
            "object-src 'none'",
            "base-uri 'self'",
            "form-action 'self'",