Bug: custom IFRAME_ORIGINS still sends X-Frame-Options: DENY and breaks allowed embeds

[shaun0927]

Describe the bug

When IFRAME_ORIGINS is set to a custom allowlist, Flowise still sends X-Frame-Options: DENY alongside Content-Security-Policy: frame-ancestors ....

That makes the response headers internally contradictory:

• CSP explicitly allows the configured embed origin(s)
• X-Frame-Options denies all framing

In browsers or embedded environments that still enforce X-Frame-Options, the documented iframe allowlist configuration does not work.

To Reproduce

1. Set IFRAME_ORIGINS=https://embed.example.com
2. Start Flowise
3. Request any Flowise page and inspect the response headers
4. Observe:
   • Content-Security-Policy: frame-ancestors https://embed.example.com
   • X-Frame-Options: DENY
5. Attempt to embed Flowise from the allowed origin in an environment that honors X-Frame-Options

Expected behavior

If a custom iframe allowlist is configured, the response should allow those origins to embed the app.

Screenshots

No response

Flow

No response

Use Method

pnpm start

Flowise Version

3.1.2 and current main at 73d57db9

Operating System

macOS

Browser

Chrome

Additional context

Local reproduction of the current header logic with IFRAME_ORIGINS=https://embed.example.com yields:

{
  "Content-Security-Policy": "frame-ancestors https://embed.example.com",
  "X-Frame-Options": "DENY"
}

This appears to have been introduced by the clickjacking fix in PR #6185.

A narrow fix would be:

• * => CSP only
• 'self' => CSP + X-Frame-Options: SAMEORIGIN
• custom allowlist => CSP only
• 'none' => CSP + X-Frame-Options: DENY