From ceb0984262ee3ea8c95572f26b7376c5bd35095a Mon Sep 17 00:00:00 2001 From: daniel-c-harvey Date: Sun, 7 Jun 2026 17:16:49 -0400 Subject: [PATCH] fix: force FramePlayer to WASM-only render mode; document CORS policy intent --- DeepDrftPublic.Client/Pages/FramePlayer.razor | 1 + DeepDrftPublic/Program.cs | 3 +++ 2 files changed, 4 insertions(+) diff --git a/DeepDrftPublic.Client/Pages/FramePlayer.razor b/DeepDrftPublic.Client/Pages/FramePlayer.razor index 177c406..24b1ab6 100644 --- a/DeepDrftPublic.Client/Pages/FramePlayer.razor +++ b/DeepDrftPublic.Client/Pages/FramePlayer.razor @@ -5,6 +5,7 @@ @page "/FramePlayer" @layout EmbedLayout +@rendermode InteractiveWebAssembly diff --git a/DeepDrftPublic/Program.cs b/DeepDrftPublic/Program.cs index 695d6ed..8add77d 100644 --- a/DeepDrftPublic/Program.cs +++ b/DeepDrftPublic/Program.cs @@ -77,6 +77,9 @@ else } } +// CORS policy registered for hygiene and potential direct cross-origin API consumers. +// The FramePlayer embed use case does not require this: WASM inside a cross-site iframe +// fetches to the same deepdrft.com origin, so all API calls are same-origin. app.UseCors("FramePlayerEmbedPolicy"); // For requests to /FramePlayer, remove any X-Frame-Options header and set a permissive