From cb1b5872a6b63c93e658ee2918df1f8aa713f809 Mon Sep 17 00:00:00 2001
From: Grant Lanham <contact@grantlanham.com>
Date: Sun, 1 Mar 2026 11:12:55 -0500
Subject: [PATCH] fix: intercept and remove security headeres so remote site
 can load

---
 src/main/index.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/main/index.js b/src/main/index.js
index b82968e..86ce1cf 100644
--- a/src/main/index.js
+++ b/src/main/index.js
@@ -1,4 +1,4 @@
-const { app, BrowserWindow, shell, ipcMain } = require("electron");
+const { app, BrowserWindow, shell, ipcMain, session } = require("electron");
 const path = require("path");
 
 // Import centralized configuration
@@ -292,6 +292,17 @@ function createWindow() {
 }
 
 app.whenReady().then(() => {
+  // Strip X-Frame-Options and CSP frame-ancestors headers so the remote site can load in our iframe
+  session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
+    const stripped = ['x-frame-options', 'content-security-policy'];
+    const headers = Object.fromEntries(
+      Object.entries(details.responseHeaders).filter(
+        ([key]) => !stripped.includes(key.toLowerCase())
+      )
+    );
+    callback({ responseHeaders: headers });
+  });
+
   createWindow();
 
   app.on("activate", function () {