fix(b2b2c): render_query endpoint cors restrictions (#40094)

Author: mariusandra

posthog/api/test/test_render_query.py

@@ -14,6 +14,7 @@ def test_render_query_page_renders_template(self, mock_render_template, mock_get
 
         assert response.status_code == 200
         assert "X-Frame-Options" not in response.headers
+        assert "frame-ancestors https: http:" in response.headers.get("Content-Security-Policy-Report-Only", "")
 
         mock_render_template.assert_called_once()
         template_name, request = mock_render_template.call_args[0][:2]

posthog/middleware.py

@@ -720,6 +720,13 @@ def __call__(self, request):
                 resource_url = "https://*.dev.posthog.dev"
 
             connect_debug_url = "ws://localhost:8234" if settings.DEBUG or settings.TEST else ""
+            frame_ancestors = "frame-ancestors https://posthog.com https://preview.posthog.com"
+            if request.path.startswith("/render_query"):
+                if settings.DEBUG or settings.TEST:
+                    frame_ancestors = "frame-ancestors https: http:"
+                else:
+                    frame_ancestors = "frame-ancestors https:"
+
             csp_parts = [
                 "default-src 'self'",
                 f"style-src 'self' 'unsafe-inline' {resource_url} https://fonts.googleapis.com",
@@ -729,7 +736,7 @@ def __call__(self, request):
                 "child-src 'none'",
                 "object-src 'none'",
                 f"img-src 'self' data: {resource_url} https://posthog.com https://www.gravatar.com https://res.cloudinary.com https://platform.slack-edge.com",
-                "frame-ancestors https://posthog.com https://preview.posthog.com",
+                frame_ancestors,
                 f"connect-src 'self' https://status.posthog.com {resource_url} {connect_debug_url} https://raw.githubusercontent.com https://api.github.com",
                 # allow all sites for displaying heatmaps
                 "frame-src https:",