feat(server): broaden CSP frame-ancestors so owletto extension can embed the whole app#884
Conversation
…to embed the whole app
The Chrome extension's sidepanel iframes the gateway's UI. The CSP
'frame-ancestors' directive used to scope chrome-extension framing
to the '/embedded' route only — fine when /embedded was a stub. That
stub is going away (see lobu-ai/owletto: feat/sidepanel-whole-app);
the sidepanel now iframes the whole app at /.
This change:
- Drops the path-based check for '/embedded'.
- Adds our own extension ID to frame-ancestors for all HTML routes
(the deterministic ID derived from apps/chrome/manifest.json's
'key' field: amnnhclgmbldmfcfamonoggjhfidemmm).
- LOBU_OWLETTO_EXTENSION_IDS env var accepts a comma-separated list
for dev builds with a different manifest key, validated against
Chrome's '^[a-p]{32}$' ID shape.
Still narrow — arbitrary extensions can't iframe the app, only ours.
Clickjacking defense preserved against everything else.
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
2 participants
Companion to lobu-ai/owletto#TBD (
feat/sidepanel-whole-app).Why
The Chrome extension's sidepanel used to iframe
/embedded, a stub route. The companion PR replaces that with iframing the gateway's root — same UI users get in a regular tab. CSPframe-ancestorswas scoped to/embeddedonly, so without this change the iframe is refused by Chrome.What
path === '/embedded'check.amnnhclgmbldmfcfamonoggjhfidemmm— derived from the manifestkeywe shipped in PR feat(observability): vendor-neutral OTEL tracing + opt-in Sentry #172) toframe-ancestorsfor all HTML routes.LOBU_OWLETTO_EXTENSION_IDSaccepts a comma-separated list of additional IDs (validated against Chrome's^[a-p]{32}$ID shape) — for dev builds with a different manifest key.Still narrow
frame-ancestorsreads'self' <https://lobu.ai et al> chrome-extension://amnnhclgmbldmfcfamonoggjhfidemmm. Arbitrary extensions remain blocked from iframing the app.