From 9267f070b3ad94456df412dd301e1b8e2c010543 Mon Sep 17 00:00:00 2001
From: admin <admin@bnkops.ca>
Date: Tue, 10 Mar 2026 18:26:41 -0600
Subject: [PATCH] Fix Vaultwarden iframe embedding by stripping upstream CSP
 header

Vaultwarden sends a restrictive Content-Security-Policy with frame-ancestors
that blocks iframe embedding. The embed proxy (port 8890) already stripped
this header, but the subdomain server block did not.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 nginx/conf.d/services.conf.template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nginx/conf.d/services.conf.template b/nginx/conf.d/services.conf.template
index 3ec7c196..9e530917 100644
--- a/nginx/conf.d/services.conf.template
+++ b/nginx/conf.d/services.conf.template
@@ -194,6 +194,7 @@ server {
         set $upstream_vaultwarden http://vaultwarden-changemaker:80;
         proxy_pass $upstream_vaultwarden;
         proxy_hide_header X-Frame-Options;
+        proxy_hide_header Content-Security-Policy;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;