fix allow all frame_ancestors (#1552)

kevalmahajan · web-flow · commit da5d06797212 · 2025-12-04T21:16:02.000+05:30
* fix allow all frame_ancestors

Signed-off-by: Keval Mahajan &lt;mahajankeval23@gmail.com&gt;

* updated test cases

Signed-off-by: Keval Mahajan &lt;mahajankeval23@gmail.com&gt;

---------

Signed-off-by: Keval Mahajan &lt;mahajankeval23@gmail.com&gt;
diff --git a/.env.example b/.env.example
@@ -536,6 +536,7 @@ SECURITY_HEADERS_ENABLED=true
 # "" (empty string): Allows all iframe embedding → frame-ancestors * file: http: https:
 # null or none: Completely removes iframe restrictions (no headers sent)
 # ALLOW-FROM uri: Allows specific domain (deprecated, use CSP instead)
+# ALLOW-ALL uri: Allows all (*, http, https)
 # 
 # Both X-Frame-Options header and CSP frame-ancestors directive are automatically synced.
 # Modern browsers prioritize CSP frame-ancestors over X-Frame-Options.
diff --git a/README.md b/README.md
@@ -1620,7 +1620,7 @@ ContextForge implements **OAuth 2.0 Dynamic Client Registration (RFC 7591)** and
 > **iframe Embedding**: The gateway controls iframe embedding through both `X-Frame-Options` header and CSP `frame-ancestors` directive (both are automatically synced). Options:
 > - `X_FRAME_OPTIONS=DENY` (default): Blocks all iframe embedding
 > - `X_FRAME_OPTIONS=SAMEORIGIN`: Allows embedding from same domain only  
-> - `X_FRAME_OPTIONS=""`: Allows embedding from all sources (sets `frame-ancestors * file: http: https:`)
+> - `X_FRAME_OPTIONS="ALLOW-ALL"`: Allows embedding from all sources (sets `frame-ancestors * file: http: https:`)
 > - `X_FRAME_OPTIONS=null` or `none`: Completely removes iframe restrictions (no headers sent)
 >
 > Modern browsers prioritize CSP `frame-ancestors` over the legacy `X-Frame-Options` header. Both are now kept in sync automatically.
diff --git a/charts/mcp-stack/values.schema.json b/charts/mcp-stack/values.schema.json
@@ -487,7 +487,7 @@
             },
             "X_FRAME_OPTIONS": {
               "type": "string",
-              "enum": ["DENY", "SAMEORIGIN"],
+              "enum": ["DENY", "SAMEORIGIN", "ALLOW-ALL"],
               "description": "X-Frame-Options header value",
               "default": "DENY"
             },
diff --git a/docs/docs/architecture/adr/014-security-headers-cors-middleware.md b/docs/docs/architecture/adr/014-security-headers-cors-middleware.md
@@ -213,7 +213,7 @@ By default, iframe embedding is **disabled** for security via `X-Frame-Options:
 
 1. **Same-domain embedding**: Set `X_FRAME_OPTIONS=SAMEORIGIN`
 2. **Specific domain embedding**: Set `X_FRAME_OPTIONS=ALLOW-FROM https://trusted-domain.com`
-3. **Disable frame protection**: Set `X_FRAME_OPTIONS=""` (not recommended)
+3. **Disable frame protection**: Set `X_FRAME_OPTIONS="ALLOW-ALL"` (not recommended)
 
 **Note**: When changing X-Frame-Options, also consider updating the CSP `frame-ancestors` directive for comprehensive browser support.
 
diff --git a/docs/docs/index.md b/docs/docs/index.md
@@ -1173,7 +1173,7 @@ You can get started by copying the provided [.env.example](https://github.com/IB
 >
 > **Security Headers**: The gateway automatically adds configurable security headers to all responses including CSP, X-Frame-Options, X-Content-Type-Options, X-Download-Options, and HSTS (on HTTPS). All headers can be individually enabled/disabled. Sensitive server headers are removed.
 >
-> **iframe Embedding**: By default, `X-Frame-Options: DENY` prevents iframe embedding for security. To allow embedding, set `X_FRAME_OPTIONS=SAMEORIGIN` (same domain) or disable with `X_FRAME_OPTIONS=""`. Also update CSP `frame-ancestors` directive if needed.
+> **iframe Embedding**: By default, `X-Frame-Options: DENY` prevents iframe embedding for security. To allow embedding, set `X_FRAME_OPTIONS=SAMEORIGIN` (same domain) or allow all with `X_FRAME_OPTIONS="ALLOW-ALL"`. Also update CSP `frame-ancestors` directive if needed.
 >
 > **Cookie Security**: Authentication cookies are automatically configured with HttpOnly, Secure (in production), and SameSite attributes for CSRF protection.
 >
diff --git a/mcpgateway/middleware/security_headers.py b/mcpgateway/middleware/security_headers.py
@@ -295,7 +295,7 @@ async def dispatch(self, request: Request, call_next) -> Response:
             elif x_frame_upper.startswith("ALLOW-FROM"):
                 allowed_uri = x_frame.split(" ", 1)[1] if " " in x_frame else "'none'"
                 frame_ancestors = allowed_uri
-            elif not x_frame:  # Empty string means allow all (including file:// scheme)
+            elif x_frame_upper == "ALLOW-ALL":
                 frame_ancestors = "* file: http: https:"
             else:
                 # Default to none for unknown values (matches DENY default)
diff --git a/tests/security/test_security_middleware_comprehensive.py b/tests/security/test_security_middleware_comprehensive.py
@@ -622,7 +622,7 @@ class TestFrameAncestorsCSPConsistency:
             ("DENY", "'none'"),
             ("SAMEORIGIN", "'self'"),
             ("ALLOW-FROM https://example.com", "https://example.com"),
-            ("", "*"),  # Empty string should allow all
+            ("ALLOW-ALL", "*"),  # Empty string should allow all
             ("invalid-value", "'none'"),  # Unknown values default to none
         ],
     )

Original file line number	Diff line number	Diff line change
`@@ -536,6 +536,7 @@ SECURITY_HEADERS_ENABLED=true`
`536`	`536`	`# "" (empty string): Allows all iframe embedding → frame-ancestors * file: http: https:`
`537`	`537`	`# null or none: Completely removes iframe restrictions (no headers sent)`
`538`	`538`	`# ALLOW-FROM uri: Allows specific domain (deprecated, use CSP instead)`
	`539`	`+# ALLOW-ALL uri: Allows all (*, http, https)`
`539`	`540`	`#`
`540`	`541`	`# Both X-Frame-Options header and CSP frame-ancestors directive are automatically synced.`
`541`	`542`	`# Modern browsers prioritize CSP frame-ancestors over X-Frame-Options.`
Original file line number	Diff line number	Diff line change
`@@ -1620,7 +1620,7 @@ ContextForge implements OAuth 2.0 Dynamic Client Registration (RFC 7591) and`
`1620`	`1620`	> iframe Embedding: The gateway controls iframe embedding through both `X-Frame-Options` header and CSP `frame-ancestors` directive (both are automatically synced). Options:
`1621`	`1621`	> - `X_FRAME_OPTIONS=DENY` (default): Blocks all iframe embedding
`1622`	`1622`	> - `X_FRAME_OPTIONS=SAMEORIGIN`: Allows embedding from same domain only
`1623`		-> - `X_FRAME_OPTIONS=""`: Allows embedding from all sources (sets `frame-ancestors * file: http: https:`)
	`1623`	+> - `X_FRAME_OPTIONS="ALLOW-ALL"`: Allows embedding from all sources (sets `frame-ancestors * file: http: https:`)
`1624`	`1624`	> - `X_FRAME_OPTIONS=null` or `none`: Completely removes iframe restrictions (no headers sent)
`1625`	`1625`	`>`
`1626`	`1626`	> Modern browsers prioritize CSP `frame-ancestors` over the legacy `X-Frame-Options` header. Both are now kept in sync automatically.
Original file line number	Diff line number	Diff line change
`@@ -1173,7 +1173,7 @@ You can get started by copying the provided [.env.example](https://github.com/IB`
`1173`	`1173`	`>`
`1174`	`1174`	`> Security Headers: The gateway automatically adds configurable security headers to all responses including CSP, X-Frame-Options, X-Content-Type-Options, X-Download-Options, and HSTS (on HTTPS). All headers can be individually enabled/disabled. Sensitive server headers are removed.`
`1175`	`1175`	`>`
`1176`		-> iframe Embedding: By default, `X-Frame-Options: DENY` prevents iframe embedding for security. To allow embedding, set `X_FRAME_OPTIONS=SAMEORIGIN` (same domain) or disable with `X_FRAME_OPTIONS=""`. Also update CSP `frame-ancestors` directive if needed.
	`1176`	+> iframe Embedding: By default, `X-Frame-Options: DENY` prevents iframe embedding for security. To allow embedding, set `X_FRAME_OPTIONS=SAMEORIGIN` (same domain) or allow all with `X_FRAME_OPTIONS="ALLOW-ALL"`. Also update CSP `frame-ancestors` directive if needed.
`1177`	`1177`	`>`
`1178`	`1178`	`> Cookie Security: Authentication cookies are automatically configured with HttpOnly, Secure (in production), and SameSite attributes for CSRF protection.`
`1179`	`1179`	`>`
Original file line number	Diff line number	Diff line change
`@@ -622,7 +622,7 @@ class TestFrameAncestorsCSPConsistency:`
`622`	`622`	`("DENY", "'none'"),`
`623`	`623`	`("SAMEORIGIN", "'self'"),`
`624`	`624`	`("ALLOW-FROM https://example.com", "https://example.com"),`
`625`		`- ("", "*"), # Empty string should allow all`
	`625`	`+ ("ALLOW-ALL", "*"), # Empty string should allow all`
`626`	`626`	`("invalid-value", "'none'"), # Unknown values default to none`
`627`	`627`	`],`
`628`	`628`	`)`