From f260476269a6100a37906eb7529f373c81281a39 Mon Sep 17 00:00:00 2001
From: Mo Bitar <me@bitar.io>
Date: Fri, 16 Feb 2018 08:22:43 -0600
Subject: [PATCH] Allow to be iframed

---
 app/controllers/application_controller.rb | 2 +-
 config/application.rb                     | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e3aa18d09..d6ac487eb 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -3,7 +3,7 @@ class ApplicationController < ActionController::Base
   protect_from_forgery with: :null_session
   after_action :set_csrf_cookie
 
-  after_filter :allow_iframe
+  after_action :allow_iframe
 
   layout :false
 
diff --git a/config/application.rb b/config/application.rb
index ac93fc14b..079f7d013 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -39,6 +39,10 @@ module Neeto
       end
     end
 
+    config.action_dispatch.default_headers = {
+        'X-Frame-Options' => 'ALLOWALL'
+    }
+
     SecureHeaders::Configuration.default do |config|
       config.csp = {
         # "meta" values. these will shape the header, but the values are not included in the header.
@@ -52,7 +56,7 @@ module Neeto
          connect_src: ["*"],
          font_src: %w(* 'self'),
          form_action: %w('self'),
-         frame_ancestors: ["*"],
+         frame_ancestors: ["*", "*.standardnotes.org"],
          img_src: %w('self' * data:),
          manifest_src: %w('self'),
          media_src: %w('self'),