feat: enable iframe embedding by injecting a preload script to strip security headers and update CSP policies

health-server.js

@@ -6,7 +6,6 @@ const PORT = process.env.HEALTH_PORT || 7861;
 const startTime = Date.now();
 const LLM_MODEL = process.env.LLM_MODEL || "Not Set";
 const GATEWAY_TOKEN = process.env.GATEWAY_TOKEN || "huggingclaw";
-const SPACE_HOST = process.env.SPACE_HOST || "localhost:7860";
 const TELEGRAM_ENABLED = !!process.env.TELEGRAM_BOT_TOKEN;
 
 const server = http.createServer((req, res) => {
@@ -50,16 +49,6 @@ const server = http.createServer((req, res) => {
     return;
   }
 
-  // Auto-login redirect to OpenClaw Control UI
-  if (req.url === "/login") {
-    const protocol = req.headers["x-forwarded-proto"] || "http";
-    const host = req.headers["host"] || SPACE_HOST;
-    const target = `${protocol}://${host}/?token=${GATEWAY_TOKEN}`;
-    res.writeHead(302, { Location: target });
-    res.end();
-    return;
-  }
-
   if (req.url === "/") {
     res.writeHead(200, { "Content-Type": "text/html" });
     res.end(`
@@ -262,7 +251,7 @@ const server = http.createServer((req, res) => {
                 <span class="stat-label">Telegram</span>
                 <span id="tg-status">Loading...</span>
             </div>
-            <a href="/login" class="stat-btn">🚀 Open Control UI</a>
+            <a href="/" class="stat-btn">🚀 Open Control UI</a>
         </div>
 
         <div class="stat-card" style="width: 100%;">

iframe-fix.cjs

@@ -0,0 +1,45 @@
+/**
+ * iframe-fix.cjs — Node.js preload script
+ *
+ * Intercepts OpenClaw's HTTP server to:
+ * 1. Allow iframe embedding (strip X-Frame-Options, fix CSP)
+ */
+'use strict';
+
+const http = require('http');
+
+console.log('[iframe-fix] Initialized: Allowing iframe embedding for *.hf.space and huggingface.co');
+
+const origEmit = http.Server.prototype.emit;
+
+http.Server.prototype.emit = function (event, ...args) {
+  if (event === 'request') {
+    const [, res] = args;
+
+    // Only intercept on the main OpenClaw server (port 7860)
+    const serverPort = this.address && this.address() && this.address().port;
+    if (serverPort && serverPort !== 7860) {
+      return origEmit.apply(this, [event, ...args]);
+    }
+
+    // Fix iframe embedding — must be applied BEFORE any early returns
+    const origWriteHead = res.writeHead;
+    res.writeHead = function (statusCode, ...whArgs) {
+      if (res.getHeader) {
+        // Strip X-Frame-Options so it can load in a Hugging Face Space iframe
+        res.removeHeader('x-frame-options');
+        
+        // Update Content-Security-Policy if it contains frame-ancestors 'none'
+        const csp = res.getHeader('content-security-policy');
+        if (csp && typeof csp === 'string') {
+          res.setHeader('content-security-policy',
+            csp.replace(/frame-ancestors\s+'none'/i,
+              "frame-ancestors 'self' https://huggingface.co https://*.hf.space"));
+        }
+      }
+      return origWriteHead.apply(this, [statusCode, ...whArgs]);
+    };
+  }
+
+  return origEmit.apply(this, [event, ...args]);
+};

start.sh

@@ -242,6 +242,10 @@ CONFIG_JSON=$(echo "$CONFIG_JSON" | jq '.channels.whatsapp = {"dmPolicy": "pairi
 echo "$CONFIG_JSON" > "/home/node/.openclaw/openclaw.json"
 chmod 600 /home/node/.openclaw/openclaw.json
 
+# ── Enable Iframe Fix (Security: No Token Redirect) ──
+# This Node.js preload script strips X-Frame-Options to allow HF Space embedding
+export NODE_OPTIONS="${NODE_OPTIONS:+$NODE_OPTIONS }--require /home/node/app/iframe-fix.cjs"
+
 # ── Startup Summary ──
 echo ""
 echo "  ┌──────────────────────────────────────────┐"