Add frame-ancestors to allow remote auth

config.example.js

@@ -45,6 +45,9 @@ module.exports = {
 
         // data: is used by codemirror
         "img-src 'self' data: blob:",
+
+        // for accounts.cryptpad.fr authentication
+        "frame-ancestors 'self' accounts.cryptpad.fr",
     ].join('; '),
 
     // CKEditor requires significantly more lax content security policy in order to function.

server.js

@@ -34,6 +34,11 @@ var setHeaders = (function () {
     const headers = clone(config.httpHeaders);
     if (config.contentSecurity) {
         headers['Content-Security-Policy'] = clone(config.contentSecurity);
+        if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {
+            // backward compat for those who do not merge the new version of the config
+            // when updating. This prevents endless spinner if someone clicks donate.
+            headers['Content-Security-Policy'] += "frame-ancestors 'self' accounts.cryptpad.fr;";
+        }
     }
     const padHeaders = clone(headers);
     if (config.padContentSecurity) {