From 0ffbb524721d64fa7032018e986820a5ce0647e7 Mon Sep 17 00:00:00 2001
From: Evan Bonsignori <ebonsignori@github.com>
Date: Tue, 24 Jan 2023 11:43:25 -0800
Subject: [PATCH] allow any frame ancestor in dev (#34109)

---
 middleware/helmet.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/helmet.js b/middleware/helmet.js
index c613cd0f9b..f5502a20fc 100644
--- a/middleware/helmet.js
+++ b/middleware/helmet.js
@@ -40,7 +40,7 @@ const DEFAULT_OPTIONS = {
         isDev && 'http://localhost:3000',
         'https://www.youtube-nocookie.com',
       ].filter(Boolean),
-      frameAncestors: [...GITHUB_DOMAINS],
+      frameAncestors: isDev ? ['*'] : [...GITHUB_DOMAINS],
       styleSrc: ["'self'", "'unsafe-inline'", 'data:', AZURE_STORAGE_URL],
       childSrc: ["'self'"], // exception for search in deprecated GHE versions
       upgradeInsecureRequests: isDev ? null : [],