From 55462ae7e3f21d27f71ccb19a7bfb851e74eaa71 Mon Sep 17 00:00:00 2001
From: Shrikant Sharat Kandula <shrikant@appsmith.com>
Date: Wed, 25 Jan 2023 14:13:36 +0530
Subject: [PATCH] chore: Add frame-ancestors CSP during dev time (#19735)

We use `APPSMITH_ALLOWED_FRAME_ANCESTORS` env variable to determine the
CSP value for `frame-ancestors` in the Docker container, but we don't do
this in the `start-https.sh` script, which is used during development.
This PR fixes this inconsistency.
---
 app/client/start-https.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/client/start-https.sh b/app/client/start-https.sh
index 5e867a94ed..707a84eafc 100755
--- a/app/client/start-https.sh
+++ b/app/client/start-https.sh
@@ -259,6 +259,9 @@ $(if [[ $use_https == 1 ]]; then echo "
         proxy_set_header X-Forwarded-Host \$host;
         proxy_set_header Accept-Encoding '';
 
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+        add_header Content-Security-Policy \"frame-ancestors ${APPSMITH_ALLOWED_FRAME_ANCESTORS-'self' *}\";
+
         sub_filter_once off;
         location / {
             proxy_pass $frontend;