From 95c593c9eba08fb3eaa8f826317a295b7f497bc1 Mon Sep 17 00:00:00 2001
From: coolneng <akasroua@gmail.com>
Date: Tue, 20 Jul 2021 15:58:06 +0200
Subject: [PATCH] Allow frame embedding in Gitea

---
 modules/webstack.nix | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/modules/webstack.nix b/modules/webstack.nix
index df38fd7..fddec01 100644
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -24,16 +24,12 @@
       # Minimize information leaked to other domains
       add_header 'Referrer-Policy' 'origin-when-cross-origin';
 
-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
+      # Disable embedding as a frame, except from the same origin
+      add_header Content-Security-Policy "frame-src git.coolneng.duckdns.org; frame-ancestors git.coolneng.duckdns.org";
 
       # Prevent injection of code in other mime types (XSS Attacks)
       add_header X-Content-Type-Options nosniff;
 
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
-
       # This might create errors
       proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';