Add /config endpoint and remove X-Frame-Options headers (#88)

SteffenDE · claude · josevalim · web-flow · commit c58fc8f81871 · 2025-09-19T14:10:15.000+01:00
Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
Co-authored-by: José Valim &lt;jose.valim@dashbit.co&gt;
diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ If you want to use Docker for development, you either need to enable the configu
 
 ### Content security policy
 
-If you have enabled Content-Security-Policy, Tidewave will automatically enable "unsafe-eval" under `script-src` in order for contextual browser testing to work correctly.
+If you have enabled Content-Security-Policy, Tidewave will automatically enable "unsafe-eval" under `script-src` in order for contextual browser testing to work correctly. It also disables the `frame-ancestors` directive.
 
 ### Web server requirements
 
diff --git a/lib/tidewave/middleware.rb b/lib/tidewave/middleware.rb
@@ -14,6 +14,7 @@ class Tidewave::Middleware
   SSE_ROUTE = "mcp".freeze
   MESSAGES_ROUTE = "mcp/message".freeze
   SHELL_ROUTE = "shell".freeze
+  CONFIG_ROUTE = "config".freeze
 
   INVALID_IP = <<~TEXT.freeze
     For security reasons, Tidewave does not accept remote connections by default.
@@ -62,23 +63,26 @@ def call(env)
       case [ request.request_method, path ]
       when [ "GET", [ TIDEWAVE_ROUTE ] ]
         return home(request)
+      when [ "GET", [ TIDEWAVE_ROUTE, CONFIG_ROUTE ] ]
+        return config_endpoint(request)
       when [ "POST", [ TIDEWAVE_ROUTE, SHELL_ROUTE ] ]
         return shell(request)
       end
     end
 
-    @app.call(env)
+    status, headers, body = @app.call(env)
+
+    # Remove CSP and X-Frame-Options headers for non-Tidewave routes
+    # to allow embedding the app in Tidewave
+    headers.delete("X-Frame-Options")
+
+    [ status, headers, body ]
   end
 
   private
 
   def home(request)
-    config = {
-      "project_name" => @project_name,
-      "framework_type" => "rails",
-      "tidewave_version" => Tidewave::VERSION,
-      "team" => @team
-    }
+    config = config_data
 
     html = <<~HTML
       <html>
@@ -95,6 +99,19 @@ def home(request)
     [ 200, { "Content-Type" => "text/html" }, [ html ] ]
   end
 
+  def config_endpoint(request)
+    [ 200, { "Content-Type" => "application/json" }, [ JSON.generate(config_data) ] ]
+  end
+
+  def config_data
+    {
+      "project_name" => @project_name,
+      "framework_type" => "rails",
+      "tidewave_version" => Tidewave::VERSION,
+      "team" => @team
+    }
+  end
+
   def forbidden(message)
     Rails.logger.warn(message)
     [ 403, { "Content-Type" => "text/plain" }, [ message ] ]
diff --git a/lib/tidewave/railtie.rb b/lib/tidewave/railtie.rb
@@ -32,6 +32,8 @@ class Railtie < Rails::Railtie
           content_security_policy.directives["script-src"].try do |script_src|
             script_src << "'unsafe-eval'" unless script_src.include?("'unsafe-eval'")
           end
+
+          content_security_policy.directives.delete("frame-ancestors")
         end
       end
     end
diff --git a/spec/middleware_spec.rb b/spec/middleware_spec.rb
@@ -29,6 +29,28 @@ def app
     end
   end
 
+  describe "header removal" do
+    let(:downstream_app_with_headers) do
+      ->(env) { [ 200, { "X-Frame-Options" => "DENY" }, [ "App with headers" ] ] }
+    end
+
+    def app
+      described_class.new(downstream_app_with_headers, config)
+    end
+
+    it "removes X-Frame-Options headers from all responses" do
+      get "/some-route"
+      expect(last_response.status).to eq(200)
+      expect(last_response.headers["X-Frame-Options"]).to be_nil
+      expect(last_response.body).to eq("App with headers")
+    end
+
+    it "removes headers from tidewave routes as well" do
+      get "/tidewave/some-sub-route"
+      expect(last_response.headers["X-Frame-Options"]).to be_nil
+    end
+  end
+
   describe "IP validation" do
     context "when remote access is allowed" do
       before do
@@ -113,6 +135,21 @@ def app
     end
   end
 
+  describe "/tidewave/config" do
+    it "returns JSON configuration" do
+      config.team = { id: "dashbit" }
+      get "/tidewave/config"
+      expect(last_response.status).to eq(200)
+      expect(last_response.headers["Content-Type"]).to eq("application/json")
+
+      parsed_config = JSON.parse(last_response.body)
+      expect(parsed_config["framework_type"]).to eq("rails")
+      expect(parsed_config["tidewave_version"]).to eq(Tidewave::VERSION)
+      expect(parsed_config["team"]).to eq({ "id" => "dashbit" })
+      expect(parsed_config).to have_key("project_name")
+    end
+  end
+
   describe "/tidewave/shell" do
     def parse_binary_response(body)
       chunks = []
