fix(coderd): omit frame-ancestors CSP for embed routes#24529
Merged
Conversation
The CSP wildcard '*' in frame-ancestors only matches network schemes (http, https, ws, wss) per the CSP spec. VSCode webviews use the vscode-webview:// scheme, which is not a network scheme, so frame-ancestors * blocks embedding in VSCode. The fix omits frame-ancestors entirely from the embed route CSP. When frame-ancestors is absent from CSP, no frame ancestor restriction is enforced, allowing embedding from any scheme including vscode-webview://. All other CSP protections remain intact, and non-embed routes still have frame-ancestors 'self'.
Contributor
Author
|
@codex review |
|
Codex Review: Didn't find any major issues. Keep them coming! ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
jeremyruppel
approved these changes
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
PR #24474 added
frame-ancestors 'self'as the default CSP directive and setframe-ancestors *for embed routes (/agents/{agentId}/embed). However,per the CSP spec, the
*wildcard inframe-ancestorsonly matches networkschemes (http, https, ws, wss). VSCode webviews use the
vscode-webview://scheme, which is not a network scheme, so
frame-ancestors *blocks embedding.This is a known limitation documented in:
Fix
Omit the
frame-ancestorsdirective entirely from the embed route CSP insteadof setting it to
*. Whenframe-ancestorsis absent from CSP, the browserdoes not enforce frame ancestor restrictions via CSP (
frame-ancestorsdoesnot fall back to
default-src), allowing embedding from any origin/schemeincluding
vscode-webview://.frame-ancestors 'self'for clickjacking protection.CODER_ADDITIONAL_CSP_POLICYoverrides are still respected.Changes
coderd/httpmw/csp.goframe-ancestorswhen an empty slice is passed viastaticAdditionscoderd/coderd.go["*"]for embed routescoderd/httpmw/csp_test.goOmitWhenEmptytest; updateOverrideViaStaticAdditionsto use a concrete originImplementation notes (Coder Agents generated)
Decision log
frame-ancestors * vscode-webview://*? — Theframe-ancestorssource-list doesn't support arbitrary scheme wildcards. Only network schemes, hostnames, and'self'are valid sources.staticAdditionsforCSPFrameAncestorssignals "omit entirely". The key exists (so the default'self'isn't applied), but the empty value triggers deletion before header construction.frame-ancestorsis equivalent to the pre-fix(coderd): add frame-ancestors CSP directive to prevent clickjacking #24474 behavior for these specific routes only.