From ce833d91cede2de1986e8d0f82c08d0711ddf138 Mon Sep 17 00:00:00 2001
From: octo-patch <octo-patch@github.com>
Date: Thu, 9 Apr 2026 09:47:27 +0800
Subject: [PATCH] fix: include home_content URL in CSP frame-src origins (fixes
 #1519)

---
 backend/internal/service/setting_service.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/backend/internal/service/setting_service.go b/backend/internal/service/setting_service.go
index 7d0ef5bd..5c90317d 100644
--- a/backend/internal/service/setting_service.go
+++ b/backend/internal/service/setting_service.go
@@ -333,8 +333,8 @@ func safeRawJSONArray(raw string) json.RawMessage {
 	return json.RawMessage("[]")
 }
 
-// GetFrameSrcOrigins returns deduplicated http(s) origins from purchase_subscription_url
-// and all custom_menu_items URLs. Used by the router layer for CSP frame-src injection.
+// GetFrameSrcOrigins returns deduplicated http(s) origins from home_content URL,
+// purchase_subscription_url, and all custom_menu_items URLs. Used by the router layer for CSP frame-src injection.
 func (s *SettingService) GetFrameSrcOrigins(ctx context.Context) ([]string, error) {
 	settings, err := s.GetPublicSettings(ctx)
 	if err != nil {
@@ -353,6 +353,9 @@ func (s *SettingService) GetFrameSrcOrigins(ctx context.Context) ([]string, erro
 		}
 	}
 
+	// home content URL (when home_content is set to a URL for iframe embedding)
+	addOrigin(settings.HomeContent)
+
 	// purchase subscription URL
 	if settings.PurchaseSubscriptionEnabled {
 		addOrigin(settings.PurchaseSubscriptionURL)