From 241ff16bb43c3dac25fc4d0e4cf26f44bcc6395d Mon Sep 17 00:00:00 2001
From: jramos <jramos@apophisnetworking.net>
Date: Fri, 13 Feb 2026 11:14:59 -0700
Subject: [PATCH] Fix: Allow iframe embedding from frontend origin using CSP
 frame-ancestors

---
 backend/routes/knowledgeBase.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/backend/routes/knowledgeBase.js b/backend/routes/knowledgeBase.js
index 2898714..6362bcc 100644
--- a/backend/routes/knowledgeBase.js
+++ b/backend/routes/knowledgeBase.js
@@ -241,6 +241,9 @@ function createKnowledgeBaseRouter(db, upload) {
       res.setHeader('Content-Type', contentType);
       // Use inline instead of attachment to allow browser to display
       res.setHeader('Content-Disposition', `inline; filename="${row.file_name}"`);
+      // Allow iframe embedding from frontend origin
+      res.removeHeader('X-Frame-Options');
+      res.setHeader('Content-Security-Policy', "frame-ancestors 'self' http://71.85.90.9:3000 http://localhost:3000");
       res.sendFile(row.file_path);
     });
   });