feat: restrict iframe embedding to huggingface.co (#2053)
* feat: restrict iframe embedding to huggingface.co
When ALLOW_IFRAME=true, instead of allowing all origins, now specifically
allows embedding only from https://huggingface.co and 'self'.
This enables embedding the chat UI on pages like huggingface.co/papers
while maintaining security by blocking embedding from other origins.
* fix: allow localhost frame-ancestors in development mode
Adds http://localhost:* and http://127.0.0.1:* to allowed frame-ancestors
when running in development mode, enabling local testing of iframe embedding.
* refactor: simplify CSP frame-ancestors configuration
Removes localhost entries from the frame-ancestors directive in development mode, streamlining the Content Security Policy to only allow 'self' and https://huggingface.co when ALLOW_IFRAME is true. This enhances security by limiting iframe embedding origins.
* chore: enable iframe embedding in development and production environments
Updates the ALLOW_IFRAME variable to "true" in both dev.yaml and prod.yaml, allowing iframe embedding across environments. This change supports enhanced integration capabilities while maintaining existing security measures.
* Revert "chore: enable iframe embedding in development and production environments"
This reverts commit 1e1c6d3a6f26e17760f5203f839bc657cbd181ec.
* Always allow huggingface.co as iframe embedder regardless of ALLOW_IFRAME
