* (no allow-same-origin). It has a deliberately permissive CSP so ad
* network scripts can run, while the main app's strict CSP is untouched.
*
* SECURITY MODEL
* ─────────────
* The iframe sandbox uses:
* allow-scripts | allow-popups | allow-popups-to-escape-sandbox
*
* Without allow-same-origin the iframe runs in a null/opaque origin.
* Any attempt by an ad-network script to access window.parent throws a
* SecurityError — the WS auth token (window.CAD_CONFIG) is completely
* unreachable.
*
* SWITCHING AD NETWORKS
* ─────────────────────
* Exactly one section below should be uncommented at a time.
* See the CSP header comment for the values to enable per network.
*/
// ── CSP for this frame ────────────────────────────────────────────────────────
//
// This is intentionally LESS restrictive than the main app to allow ad scripts.
// frame-ancestors restricts who may embed this page (only our own origin).
//
// Adjust the allowed origins for your chosen network:
//
// EthicalAds: script-src add https://media.ethicalads.io
// connect-src add https://server.ethicalads.io
// img-src add https://media.ethicalads.io
//
// Google AdSense: script-src add https://pagead2.googlesyndication.com
// add https://ep2.adtrafficquality.google
// connect-src * (Google uses many endpoints)
// frame-src add https://googleads.g.doubleclick.net
// add https://tpc.googlesyndication.com
//
$frameAncestors = 'https://cadmic.app https://ads.cadmic.app';
// ── Uncomment the CSP block for your active ad network ────────────────────────
// --- EthicalAds CSP ---
// header("Content-Security-Policy: default-src 'none'; "
// . "script-src 'unsafe-inline' https://media.ethicalads.io; "
// . "style-src 'unsafe-inline'; "
// . "img-src https://media.ethicalads.io data:; "
// . "connect-src https://server.ethicalads.io; "
// . "frame-ancestors {$frameAncestors}");
// --- Google AdSense CSP ---
// header("Content-Security-Policy: default-src 'none'; "
// . "script-src 'unsafe-inline' https://pagead2.googlesyndication.com https://ep2.adtrafficquality.google; "
// . "style-src 'unsafe-inline'; "
// . "img-src * data:; "
// . "connect-src *; "
// . "frame-src https://googleads.g.doubleclick.net https://tpc.googlesyndication.com; "
// . "frame-ancestors {$frameAncestors}");
// --- Placeholder (no ad network yet) ---
header("Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; frame-ancestors {$frameAncestors}");
header('X-Content-Type-Options: nosniff');
// No X-Frame-Options here — we WANT this to be embeddable by our own app.
// frame-ancestors in CSP above handles the embedding restriction properly.
?>
Ad
Advertisement
C A D M I C
Professional 2D CAD in your browser — free, no install required.