a4c3d3d8c0
When `allowed_domains` is configured on a web widget inbox, the server responds with Content-Security-Policy: frame-ancestors <domains>, which blocks the widget iframe in mobile app WebViews. This happens because WebViews load content from file:// or null origins, which cannot match any domain in the frame-ancestors directive. This adds a per-inbox toggle — "Enable widget in mobile apps" — that skips the frame-ancestors header when the request has no valid Origin (i.e., it comes from a mobile WebView). Web browsers with a real origin still get domain restrictions enforced as usual. <img width="2330" height="1490" alt="CleanShot 2026-03-11 at 10 13 01@2x" src="https://github.com/user-attachments/assets/d9326fac-020d-4ce7-9ced-0c185468c8fc" /> Fixes https://linear.app/chatwoot/issue/CW-6560/widget-is-not-loading-from-iosandroid-widgets How to test 1. Go to Settings → Inboxes → (Web Widget) → Configuration 2. Set allowed_domains to a specific domain (e.g., *.example.com) 3. Try loading the widget in a mobile app WebView — it should be blocked 4. Enable "Enable widget in mobile apps" checkbox 5. Reload the widget in the WebView — it should now load successfully 6. Verify the widget on a website not in the allowed domains list is still blocked --------- Co-authored-by: iamsivin <iamsivin@gmail.com>