mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-07-06 15:50:25 +00:00
58ba991c0d
Adds a configurable frame-src directive so an extension can embed a self-hosted web app in an iframe (e.g. an 'external app tab' pinning Grafana / Vaultwarden / a dashboard). Mirrors the existing HERMES_WEBUI_CSP_CONNECT_EXTRA knob: space-separated http(s) origins with optional *.subdomain wildcard + port, validated, ignored if malformed (directive-injection / paths / ws scheme / bad ports all rejected). - Default frame-src is 'self' only, so existing same-origin iframes are unchanged; default-off when the env var is unset. - frame-ancestors stays 'none' -- this only governs what THIS page may embed, never who may embed the WebUI. - Threaded through both the enforced and report-only CSP builders + the server.py Handler wrapper, so both headers stay identical. Docs in docs/EXTENSIONS.md. 8 new regression tests (tests/test_csp_frame_src_extra.py) cover default, valid widening, enforced parity, directive-injection rejection, path/ws/port rejection, and connect/frame independence. Existing CSP test suite still green. Note: full suite shows 2 pre-existing order-dependent flakes (test_issue1574 spawn-context, test_issue3283 import-order) that pass in isolation and are untouched by this CSP-only diff.