fix: ancestor header issue fix - allowing all domain iframe src embed

app/Http/Middleware/XFrameOptions.php

@@ -17,22 +17,10 @@ public function handle(Request $request, Closure $next): Response
     {
         $response = $next($request);
 
-        $option = 'SAMEORIGIN';
-
         if ($request->route()->getName() == 'embed') {
-            $xframeOptions = env('X_FRAME_OPTIONS', $option);
-            if ($xframeOptions) {
-                $host = $request->getHttpHost();
-                $xframeOptions = str_replace('*', $host, $xframeOptions);
-                if (strpos($xframeOptions, 'ALLOW-FROM') !== false) {
-                    $url = trim(str_replace('ALLOW-FROM', '', $xframeOptions));
-                    $response->header('Content-Security-Policy', 'frame-ancestors '.$url);
-                }
-            }
-        } else {
-            $xframeOptions = $option;
+            $response->header('Content-Security-Policy', 'frame-ancestors frame-src data: blob: *');
         }
 
-        return $response->header('X-Frame-Options', $xframeOptions);
+        return $response;
     }
 }

resources/ops/docker/nginx/vhost.conf

@@ -8,6 +8,7 @@ server {
 
     client_max_body_size 200m;
 
+    add_header X-Frame-Options "SAMEORIGIN";
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Content-Type-Options "nosniff";