From 7542cd14e242e34124db4285e227708fcbddb7b7 Mon Sep 17 00:00:00 2001
From: Gani Georgiev <gani.georgiev@gmail.com>
Date: Mon, 4 May 2026 13:38:42 +0300
Subject: [PATCH] [#7677] fixed default ui csp to allow iframe/object previews

---
 apis/serve.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apis/serve.go b/apis/serve.go
index 193d103c..785e0c21 100644
--- a/apis/serve.go
+++ b/apis/serve.go
@@ -22,7 +22,7 @@ import (
 	"golang.org/x/crypto/acme/autocert"
 )
 
-const defaultCSP = "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' http://127.0.0.1:* https://tile.openstreetmap.org data: blob:; connect-src 'self' http://127.0.0.1:* https://nominatim.openstreetmap.org; script-src 'self' http://127.0.0.1:*; frame-src 'none'"
+const defaultCSP = "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' http://127.0.0.1:* https://tile.openstreetmap.org data: blob:; connect-src 'self' http://127.0.0.1:* https://nominatim.openstreetmap.org; script-src 'self' http://127.0.0.1:*; frame-ancestors 'none'"
 
 // ServeConfig defines a configuration struct for apis.Serve().
 type ServeConfig struct {