fix: Handle Empty String in iFrame Embedding Config options

[prakhar-singh1928]

🔗 Related Issue

Closes #2492

---

📝 Summary

This PR fixes X_FRAME_OPTIONS related middleware behavior not properly handling empty string values.

Key changes:

• Fixed middleware bug where empty string "" was falling through to the default case and being treated like DENY (adding frame-ancestors 'none'), when it should allow all embedding (no frame-ancestors directive)
• Updated test cases in test_security_middleware_comprehensive.py to use None instead of "" when testing disabled iframe restrictions, matching the config validator's behavior that converts empty strings to None
• Added test_x_frame_options_empty_string_returns_none

The root cause was:

1. The middleware was incorrectly treating empty string "" as an unknown value, defaulting to DENY behavior(adding frame-ancestors 'none') (blocking embedding)

All X_FRAME_OPTIONS now exhibit expected behaviour

🏷️ Type of Change

• Bug fix
• Feature / Enhancement
• Documentation
• Refactor
• Chore (deps, CI, tooling)
• Other (describe below)

---

🧪 Verification

Check	Command	Status
Lint suite	make lint	✅ Passed (Pylint score: 10/10)
Unit tests	make test	✅ Passed (all X_FRAME_OPTIONS tests)
Coverage ≥ 80%	make coverage	✅ Passed (100% for modified files, 99%+ overal

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes
• Documentation updated (if applicable)
• No secrets or credentials committed

---

📓 Notes (optional)

Targeted local verification executed:

• pytest tests/unit/mcpgateway/test_config.py -v ✅
• pytest tests/security/test_security_middleware_comprehensive.py ✅

[ja8zyjits]

Looks good to me

Verified by following steps:

1. Update .env file and update this X_FRAME_OPTIONS= with value " "/null
2. Create this file in your local machine

`index.html`

<!DOCTYPE html>
<html>
<head>
    <title>Test X-Frame-Options</title>
</head>
<body>
    <h1>Testing X-Frame-Options</h1>
    <p>The iframe below should may or may not be blocked depending on config by the browser:</p>
    <iframe src="http://localhost:8000/" width="800" height="600"></iframe>
    <p>Check browser console (F12) for errors.</p>
</body>
</html>

3. Run Mcp gateway and try to open index.html in a different tab as a file (no need to update gateway code). The embedded mcp-gateway must be visible.

Regards,
Jitesh

[crivetimihai]

Review Notes

Rebased onto current main (1902707) and squashed 9 commits into a single clean commit preserving original author attribution.

Changes made during rebase

• Squashed commits: 9 incremental commits → 1 clean conventional commit
• Style fix: Added missing blank lines between new top-level test functions in test_config.py (project standard: 2 blank lines)

Review findings

Bug confirmed: The root cause was correctly identified. When X_FRAME_OPTIONS="", the old validator passed the empty string through unchanged. The middleware then correctly omitted the X-Frame-Options header (empty string is falsy), but the CSP frame-ancestors block still executed ("" is not None is True), and "".upper() matched no branch, falling to the else default → frame-ancestors 'none' — which still blocked embedding via CSP.

Fix is correct: Normalizing "" / whitespace-only to None at the config validator level is the right approach. The middleware already handles None properly (skips both X-Frame-Options and frame-ancestors). No middleware changes needed.

Security: No regression — default remains DENY. Empty string → None is an intentional opt-in.

Test coverage: 100% on the middleware module, 99% on config (3 misses are unrelated). All validator branches covered. The ALLOW-ALL expected value fix ("*" → "* file: http: https:") corrects a pre-existing test bug.

All 167 related tests pass.

[crivetimihai]

Approved

Rebased onto main, squashed 9 commits into 1, and applied additional hardening based on review.

Changes applied during review

1. Docs fix (P2): Updated .env.example — empty string docs incorrectly claimed "" yields frame-ancestors * file: http: https:. It now correctly documents that "" / null / none all remove iframe restrictions (no headers sent).

2. Middleware hardening (P3): Added defense-in-depth normalization in the middleware itself — if x_frame_options is ever set to "" or whitespace programmatically (bypassing the config validator), the middleware now treats it as None instead of falling through to frame-ancestors 'none'.

3. Stale comments (P4): Fixed misleading comments in middleware (line 258) and test file (line 665) that still referenced the old empty-string semantics.

4. Test coverage: Added 2 new middleware-level unit tests (test_x_frame_options_raw_empty_string, test_x_frame_options_raw_whitespace_string) to exercise the hardened bypass path. Middleware coverage remains at 100%.

Manual verification

Tested end-to-end with Playwright across all four config scenarios:

Config	X-Frame-Options	CSP frame-ancestors	iframe Result
Default (DENY)	DENY	'none'	Blocked
X_FRAME_OPTIONS=""	absent	absent	Loads successfully
X_FRAME_OPTIONS=SAMEORIGIN	SAMEORIGIN	'self'	Blocked (cross-origin)
X_FRAME_OPTIONS=" "	absent	absent	Loads successfully

Test results

• 223 related tests pass (config + security + middleware)
• Full unit suite: 11,932 passed
• Full security suite: 238 passed
• Differential coverage: security_headers.py 100%, config.py 99%