Clean up CSP frame-src directive after server-side auth migration #383
Description
Description
The Content-Security-Policy frame-src directive still includes https://simlin.firebaseapp.com and https://auth.simlin.com. With the migration to server-side OAuth (the server-side-auth branch), the client no longer uses Firebase's redirect-based auth flow, so the simlin.firebaseapp.com entry may no longer be needed.
Why it matters
- Security: CSP directives should follow the principle of least privilege. Allowing frame sources that are no longer needed expands the attack surface unnecessarily.
- Maintainability: Stale CSP entries create confusion about what external services the application actually depends on.
Component(s) affected
- Server (CSP header configuration)
Steps to resolve
- Confirm that no remaining functionality (e.g., Firebase Hosting, other Firebase features beyond auth) relies on framing
simlin.firebaseapp.com. - Confirm whether
auth.simlin.comis still needed after server-side auth is fully deployed. - Remove any entries from the
frame-srcdirective that are no longer required. - Test that auth flows and any iframe-based features still work correctly after the change.
Context
Identified during review of the server-side-auth branch changes, which moved OAuth handling from client-side Firebase redirects to server-side processing.