Codecov Report

Merging #2963 (8433ed1) into develop (4d47c08) will increase coverage by 0.07%.
The diff coverage is 0.00%.

@@             Coverage Diff             @@
##           develop    #2963      +/-   ##
===========================================
+ Coverage    24.00%   24.08%   +0.07%     
===========================================
  Files           49       49              
  Lines        10121    10135      +14     
===========================================
+ Hits          2430     2441      +11     
- Misses        7691     7694       +3     

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

interesting. but doesn't that violate the source's content policies?

It might violate but it it does not necessarily.
Most time the header is set to prevent of XSS attacks and not to avoid embedding. But a XSS attack at the electron instance providing the mirrors page is very unlikely.

In my case even my self hosted Node Red dashboard has set the header and I did not find a option to disable it.

if I remember this correctly we had already such issues and we inserted a config option httpHeaders for this.

Have you tested iframe embedding with these

let config = {
	address: "localhost",
	port: 8080,
	httpHeaders: { contentSecurityPolicy: false, crossOriginOpenerPolicy: false, crossOriginEmbedderPolicy: false, crossOriginResourcePolicy: false, originAgentCluster: false, frameguard: false },
	...
}

httpHeaders?

Did a quick check in server.js and the Changelog.
The httpHeaders control can be used to control if the MagicMirror page can be embedded with a Iframe.
But they can not be used to control the headers of pages that are embedded to the mirror page.

thanks for clarifying, had the older iframe change in mind and wanted to avoid doing something which is already implemented.

Thank you very much.