allow iframe embedding in reverse proxy (#918)

pulltheflower · Dev Agent · web-flow · commit 234f25209a10 · 2026-04-08T10:27:32.000+08:00
Co-authored-by: Dev Agent &lt;dev-agent@example.com&gt;
diff --git a/builder/proxy/reverse_proxy.go b/builder/proxy/reverse_proxy.go
@@ -78,6 +78,9 @@ func (rp *reverseProxyImpl) ServeHTTP(w http.ResponseWriter, r *http.Request, ap
 		// remove duplicate X-Request-Id header from downstream response
 		// because it is already set by the gateway middleware
 		resp.Header.Del(trace.HeaderRequestID)
+		// allow upstream pages to be embedded in iframes by the parent app
+		resp.Header.Del("X-Frame-Options")
+		resp.Header.Del("Content-Security-Policy")
 
 		return nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,9 @@ func (rp reverseProxyImpl) ServeHTTP(w http.ResponseWriter, r http.Request, ap`
`78`	`78`	`// remove duplicate X-Request-Id header from downstream response`
`79`	`79`	`// because it is already set by the gateway middleware`
`80`	`80`	`resp.Header.Del(trace.HeaderRequestID)`
	`81`	`+ // allow upstream pages to be embedded in iframes by the parent app`
	`82`	`+ resp.Header.Del("X-Frame-Options")`
	`83`	`+ resp.Header.Del("Content-Security-Policy")`
`81`	`84`
`82`	`85`	`return nil`
`83`	`86`	`}`