Disallow iframe protections in embedded dashboard (#35992)

GitOrigin-RevId: 2cf994b9a3a0f91aed90a6ca4bd62f3a1776f6c9

Author: Nicolapps

npm-packages/dashboard-self-hosted/next.config.js

@@ -17,18 +17,10 @@ const securityHeaders = [
     key: "X-XSS-Protection",
     value: "1; mode=block",
   },
-  {
-    key: "X-Frame-Options",
-    value: "SAMEORIGIN",
-  },
   {
     key: "Referrer-Policy",
     value: "origin-when-cross-origin",
   },
-  {
-    key: "Content-Security-Policy",
-    value: ContentSecurityPolicy.replace(/\s{2,}/g, " ").trim(),
-  },
 ];
 
 const optionsForExport = {
@@ -45,19 +37,30 @@ const optionsForBuild = {
       {
         // Apply these headers to all routes in your application.
         source: "/:path*",
-        headers: process.env.EMBEDDED_CORS_HEADERS
-          ? [
-              ...securityHeaders,
-              {
-                key: "Cross-Origin-Resource-Policy",
-                value: "cross-origin",
-              },
-              {
-                key: "Cross-Origin-Embedder-Policy",
-                value: "require-corp",
-              },
-            ]
-          : securityHeaders,
+        headers: [
+          ...securityHeaders,
+          ...(process.env.EMBEDDED_CORS_HEADERS
+            ? [
+                {
+                  key: "Cross-Origin-Resource-Policy",
+                  value: "cross-origin",
+                },
+                {
+                  key: "Cross-Origin-Embedder-Policy",
+                  value: "require-corp",
+                },
+              ]
+            : [
+                {
+                  key: "X-Frame-Options",
+                  value: "SAMEORIGIN",
+                },
+                {
+                  key: "Content-Security-Policy",
+                  value: ContentSecurityPolicy.replace(/\s{2,}/g, " ").trim(),
+                },
+              ]),
+        ],
       },
     ];
   },