Fixes CSP directive blocking the iframe issue (#1537)

* fixes CSP directive blocking the iframe issue

Signed-off-by: Shoumi <[email protected]>

* flake8 fixes

Signed-off-by: Shoumi <[email protected]>

---------

Signed-off-by: Shoumi <[email protected]>

Author: shoummu1

.env.example

@@ -530,10 +530,15 @@ COOKIE_SAMESITE=lax
 # Enable security headers middleware (true/false)
 SECURITY_HEADERS_ENABLED=true
 
-# X-Frame-Options setting (DENY, SAMEORIGIN, or ALLOW-FROM uri)
-# DENY: Prevents all iframe embedding (recommended for security)
-# SAMEORIGIN: Allows embedding from same domain only
-# To disable: Set to empty string X_FRAME_OPTIONS=""
+# X-Frame-Options setting - Controls iframe embedding (also sets CSP frame-ancestors)
+# DENY: Prevents all iframe embedding (recommended for security) → frame-ancestors 'none'
+# SAMEORIGIN: Allows embedding from same domain only → frame-ancestors 'self'
+# "" (empty string): Allows all iframe embedding → frame-ancestors * file: http: https:
+# null or none: Completely removes iframe restrictions (no headers sent)
+# ALLOW-FROM uri: Allows specific domain (deprecated, use CSP instead)
+# 
+# Both X-Frame-Options header and CSP frame-ancestors directive are automatically synced.
+# Modern browsers prioritize CSP frame-ancestors over X-Frame-Options.
 X_FRAME_OPTIONS=DENY
 
 # Other security headers (true/false)

README.md

@@ -1598,7 +1598,7 @@ ContextForge implements **OAuth 2.0 Dynamic Client Registration (RFC 7591)** and
 | `SECURE_COOKIES`          | Force secure cookie flags     | `true`                                         | bool       |
 | `COOKIE_SAMESITE`         | Cookie SameSite attribute      | `lax`                                          | `strict`/`lax`/`none` |
 | `SECURITY_HEADERS_ENABLED` | Enable security headers middleware | `true`                                     | bool       |
-| `X_FRAME_OPTIONS`         | X-Frame-Options header value   | `DENY`                                         | `DENY`/`SAMEORIGIN` |
+| `X_FRAME_OPTIONS`         | X-Frame-Options header value   | `DENY`                                         | `DENY`/`SAMEORIGIN`/`""`/`null` |
 | `X_CONTENT_TYPE_OPTIONS_ENABLED` | Enable X-Content-Type-Options: nosniff header | `true`                           | bool       |
 | `X_XSS_PROTECTION_ENABLED` | Enable X-XSS-Protection header | `true`                                         | bool       |
 | `X_DOWNLOAD_OPTIONS_ENABLED` | Enable X-Download-Options: noopen header | `true`                              | bool       |
@@ -1617,7 +1617,13 @@ ContextForge implements **OAuth 2.0 Dynamic Client Registration (RFC 7591)** and
 >
 > **Security Validation**: Set `REQUIRE_STRONG_SECRETS=true` to enforce minimum lengths for JWT secrets and passwords at startup. This helps prevent weak credentials in production. Default is `false` for backward compatibility.
 >
-> **iframe Embedding**: By default, `X-Frame-Options: DENY` prevents iframe embedding for security. To allow embedding, set `X_FRAME_OPTIONS=SAMEORIGIN` (same domain) or disable with `X_FRAME_OPTIONS=""`. Also update CSP `frame-ancestors` directive if needed.
+> **iframe Embedding**: The gateway controls iframe embedding through both `X-Frame-Options` header and CSP `frame-ancestors` directive (both are automatically synced). Options:
+> - `X_FRAME_OPTIONS=DENY` (default): Blocks all iframe embedding
+> - `X_FRAME_OPTIONS=SAMEORIGIN`: Allows embedding from same domain only  
+> - `X_FRAME_OPTIONS=""`: Allows embedding from all sources (sets `frame-ancestors * file: http: https:`)
+> - `X_FRAME_OPTIONS=null` or `none`: Completely removes iframe restrictions (no headers sent)
+>
+> Modern browsers prioritize CSP `frame-ancestors` over the legacy `X-Frame-Options` header. Both are now kept in sync automatically.
 >
 > **Cookie Security**: Authentication cookies are automatically configured with HttpOnly, Secure (in production), and SameSite attributes for CSRF protection.
 >

mcpgateway/config.py

@@ -374,7 +374,23 @@ class Settings(BaseSettings):
 
     # Security Headers Configuration
     security_headers_enabled: bool = Field(default=True)
-    x_frame_options: str = Field(default="DENY")
+    x_frame_options: Optional[str] = Field(default="DENY")
+
+    @field_validator("x_frame_options")
+    @classmethod
+    def normalize_x_frame_options(cls, v: Optional[str]) -> Optional[str]:
+        """Convert string 'null' or 'none' to Python None to disable iframe restrictions.
+
+        Args:
+            v: The x_frame_options value from environment/config
+
+        Returns:
+            None if v is "null" or "none" (case-insensitive), otherwise returns v unchanged
+        """
+        if isinstance(v, str) and v.lower() in ("null", "none"):
+            return None
+        return v
+
     x_content_type_options_enabled: bool = Field(default=True)
     x_xss_protection_enabled: bool = Field(default=True)
     x_download_options_enabled: bool = Field(default=True)

mcpgateway/middleware/security_headers.py

@@ -273,31 +273,35 @@ async def dispatch(self, request: Request, call_next) -> Response:
         # Content Security Policy
         # This CSP is designed to work with the Admin UI while providing security
         # Dynamically set frame-ancestors based on X_FRAME_OPTIONS setting to stay consistent
-        x_frame = str(settings.x_frame_options)
-        x_frame_upper = x_frame.upper()
-
-        if x_frame_upper == "DENY":
-            frame_ancestors = "'none'"
-        elif x_frame_upper == "SAMEORIGIN":
-            frame_ancestors = "'self'"
-        elif x_frame_upper.startswith("ALLOW-FROM"):
-            allowed_uri = x_frame.split(" ", 1)[1] if " " in x_frame else "'none'"
-            frame_ancestors = allowed_uri
-        elif not x_frame:  # Empty string means allow all
-            frame_ancestors = "*"
-        else:
-            # Default to none for unknown values (matches DENY default)
-            frame_ancestors = "'none'"
-
         csp_directives = [
             "default-src 'self'",
             "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.tailwindcss.com https://cdn.jsdelivr.net https://unpkg.com",
             "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net",
             "img-src 'self' data: https:",
             "font-src 'self' data: https://cdnjs.cloudflare.com",
             "connect-src 'self' ws: wss: https:",
-            f"frame-ancestors {frame_ancestors}",
         ]
+
+        # Only add frame-ancestors if x_frame_options is not None
+        # When None (or "null"/"none" string), completely disable iframe restrictions
+        if settings.x_frame_options is not None:
+            x_frame = str(settings.x_frame_options)
+            x_frame_upper = x_frame.upper()
+
+            if x_frame_upper == "DENY":
+                frame_ancestors = "'none'"
+            elif x_frame_upper == "SAMEORIGIN":
+                frame_ancestors = "'self'"
+            elif x_frame_upper.startswith("ALLOW-FROM"):
+                allowed_uri = x_frame.split(" ", 1)[1] if " " in x_frame else "'none'"
+                frame_ancestors = allowed_uri
+            elif not x_frame:  # Empty string means allow all (including file:// scheme)
+                frame_ancestors = "* file: http: https:"
+            else:
+                # Default to none for unknown values (matches DENY default)
+                frame_ancestors = "'none'"
+
+            csp_directives.append(f"frame-ancestors {frame_ancestors}")
         response.headers["Content-Security-Policy"] = "; ".join(csp_directives) + ";"
 
         # HSTS for HTTPS connections (configurable)