From 5b2d7b6a1fdc7795c5cc20e84cb9c2cc8265ad31 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 8 Apr 2024 23:21:08 +0800
Subject: [PATCH] Add frame-ancestors 'self'

---
 routers/web/repo/render.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/repo/render.go b/routers/web/repo/render.go
index f62f0b853f0d0..668d6a6322348 100644
--- a/routers/web/repo/render.go
+++ b/routers/web/repo/render.go
@@ -45,7 +45,7 @@ func RenderFile(ctx *context.Context) {
 	isTextFile := st.IsText()
 
 	rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc), charset.ConvertOpts{})
-	ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts")
+	ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; frame-ancestors 'self'; sandbox allow-scripts")
 
 	if markupType := markup.Type(blob.Name()); markupType == "" {
 		if isTextFile {