From d0470ecb1131fb4cd2a0d71832b6923ed11f9fea Mon Sep 17 00:00:00 2001
From: Alexey <siniakinaa@gmail.com>
Date: Thu, 25 Jun 2026 13:58:32 +0300
Subject: [PATCH 1/2] fix: treat CSP frame-ancestors scheme-source (https:) as
 permissive

---
 lib/plugins/validators/async/21_checkContentType.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/plugins/validators/async/21_checkContentType.js b/lib/plugins/validators/async/21_checkContentType.js
index a8f66bca0..241a14cd0 100644
--- a/lib/plugins/validators/async/21_checkContentType.js
+++ b/lib/plugins/validators/async/21_checkContentType.js
@@ -95,6 +95,7 @@ export default {
 
                     if (frame_ancestors) { // allow only if it contains " * " or "http://*" or "https://*"
                         frame_ancestors = frame_ancestors.replace(/https?:\/\/\*/ig, '*'); // Ex. Behance video streams via Adobe CDN
+                        frame_ancestors = frame_ancestors.replace(/\bhttps?:(?!\S)/ig, '*'); // "https:" alone means any HTTPS origin
                         frame_ancestors = frame_ancestors.replace(/^\*/i, ' *');
                         frame_ancestors = frame_ancestors.replace(/\*$/i, '* ');
                         if (frame_ancestors.indexOf(' * ') == -1) {

From 19c409d431974a5e3d49b54bcc7f04d9427b2d0f Mon Sep 17 00:00:00 2001
From: Alexey <siniakinaa@gmail.com>
Date: Thu, 25 Jun 2026 15:45:29 +0300
Subject: [PATCH 2/2] change comment

---
 lib/plugins/validators/async/21_checkContentType.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/plugins/validators/async/21_checkContentType.js b/lib/plugins/validators/async/21_checkContentType.js
index 241a14cd0..c073cd597 100644
--- a/lib/plugins/validators/async/21_checkContentType.js
+++ b/lib/plugins/validators/async/21_checkContentType.js
@@ -95,7 +95,7 @@ export default {
 
                     if (frame_ancestors) { // allow only if it contains " * " or "http://*" or "https://*"
                         frame_ancestors = frame_ancestors.replace(/https?:\/\/\*/ig, '*'); // Ex. Behance video streams via Adobe CDN
-                        frame_ancestors = frame_ancestors.replace(/\bhttps?:(?!\S)/ig, '*'); // "https:" alone means any HTTPS origin
+                        frame_ancestors = frame_ancestors.replace(/\bhttps?:(?!\S)/ig, '*'); // Ex. "frame-ancestors https:" - scheme-only means any HTTPS origin
                         frame_ancestors = frame_ancestors.replace(/^\*/i, ' *');
                         frame_ancestors = frame_ancestors.replace(/\*$/i, '* ');
                         if (frame_ancestors.indexOf(' * ') == -1) {