Merge pull request #1523 from octo-patch/fix/issue-1519-home-content-csp-frame-src

fix: include home_content URL in CSP frame-src origins

Merge pull request #1523 from octo-patch/fix/issue-1519-home-content-csp-frame-src
fix: include home_content URL in CSP frame-src origins
9a72025a · Wesley Liddick · GitHub · 74302f60 · ce833d91 · 9a72025a
Unverified Commit 9a72025a authored Apr 09, 2026 by Wesley Liddick Committed by GitHub Apr 09, 2026
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -355,8 +355,8 @@ func safeRawJSONArray(raw string) json.RawMessage {
 	return json.RawMessage("[]")
 }
-// GetFrameSrcOrigins returns deduplicated http(s) origins from purchase_subscription_url
+// GetFrameSrcOrigins returns deduplicated http(s) origins from home_content URL,
-// and all custom_menu_items URLs. Used by the router layer for CSP frame-src injection.
+// purchase_subscription_url, and all custom_menu_items URLs. Used by the router layer for CSP frame-src injection.
 func (s *SettingService) GetFrameSrcOrigins(ctx context.Context) ([]string, error) {
 	settings, err := s.GetPublicSettings(ctx)
 	if err != nil {
@@ -375,6 +375,9 @@ func (s *SettingService) GetFrameSrcOrigins(ctx context.Context) ([]string, erro
 		}
 	}
+	// home content URL (when home_content is set to a URL for iframe embedding)
+	addOrigin(settings.HomeContent)
 	// purchase subscription URL
 	if settings.PurchaseSubscriptionEnabled {
 		addOrigin(settings.PurchaseSubscriptionURL)