Harshit Ghosh commited on
Commit ·
19dbcd4
1
Parent(s): cc2e4dc
Fix CSP to allow Hugging Face framing
Browse files- security.py +3 -2
security.py
CHANGED
|
@@ -27,7 +27,8 @@ def init_security(app):
|
|
| 27 |
"""Add security headers to all responses"""
|
| 28 |
|
| 29 |
# Prevent clickjacking attacks
|
| 30 |
-
|
|
|
|
| 31 |
|
| 32 |
# Prevent MIME type sniffing
|
| 33 |
response.headers['X-Content-Type-Options'] = 'nosniff'
|
|
@@ -43,7 +44,7 @@ def init_security(app):
|
|
| 43 |
"font-src 'self' https://fonts.gstatic.com; "
|
| 44 |
"img-src 'self' data: https://res.cloudinary.com; "
|
| 45 |
"connect-src 'self'; "
|
| 46 |
-
"frame-ancestors 'self'; "
|
| 47 |
"base-uri 'self'; "
|
| 48 |
"form-action 'self'"
|
| 49 |
)
|
|
|
|
| 27 |
"""Add security headers to all responses"""
|
| 28 |
|
| 29 |
# Prevent clickjacking attacks
|
| 30 |
+
# X-Frame-Options is removed because it prevents Hugging Face from embedding the app.
|
| 31 |
+
# We rely on CSP frame-ancestors instead.
|
| 32 |
|
| 33 |
# Prevent MIME type sniffing
|
| 34 |
response.headers['X-Content-Type-Options'] = 'nosniff'
|
|
|
|
| 44 |
"font-src 'self' https://fonts.gstatic.com; "
|
| 45 |
"img-src 'self' data: https://res.cloudinary.com; "
|
| 46 |
"connect-src 'self'; "
|
| 47 |
+
"frame-ancestors 'self' https://huggingface.co https://*.hf.space; "
|
| 48 |
"base-uri 'self'; "
|
| 49 |
"form-action 'self'"
|
| 50 |
)
|