From 6379814a083371449985274c6232fa93cb000f28 Mon Sep 17 00:00:00 2001
From: Eugene Pankov <e@ajenti.org>
Date: Tue, 8 Nov 2022 10:50:05 +0100
Subject: [PATCH] updated CSP

---
 backend/tabby/app/views.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/tabby/app/views.py b/backend/tabby/app/views.py
index ef7575c..5237373 100644
--- a/backend/tabby/app/views.py
+++ b/backend/tabby/app/views.py
@@ -26,6 +26,7 @@ class TerminalView(APIView):
         response = static.serve(
             request, "terminal.html", document_root=str(settings.STATIC_ROOT)
         )
+        response["Content-Security-Policy"] = "frame-ancestors 'self' https://tabby.sh;"
         response["X-Frame-Options"] = "SAMEORIGIN"
         return response
 
@@ -35,7 +36,8 @@ class DemoView(APIView):
         response = static.serve(
             request, "demo.html", document_root=str(settings.STATIC_ROOT)
         )
-        response["Content-Security-Policy"] = "frame-ancestors https://tabby.sh"
+        response["Content-Security-Policy"] = "frame-ancestors 'self' https://tabby.sh;"
+        response['X-Frame-Options'] = 'ALLOW-FROM https://tabby.sh'
         return response