fix: relax csp iframe restriction (2)

inglettronald · inglettronald · commit 99e57ffa56ff · 2026-05-19T10:38:51.000-05:00
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
@@ -11,7 +11,7 @@ const headersHandler = (async ({ event, resolve }) => {
   response.headers.set("Permissions-Policy", "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), geolocation=()");
   response.headers.set("X-Content-Type-Options", "nosniff");
   response.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
-  response.headers.set("X-Frame-Options", "DENY");
+  // response.headers.set("X-Frame-Options", "DENY");
 
   // Cross-Origin policies
   // COEP intentionally unsafe-none: tightening would require all cross-origin
