update to fix tests

Signed-off-by: Shoumi <[email protected]>

Author: shoummu1

mcpgateway/middleware/security_headers.py

@@ -273,25 +273,21 @@ async def dispatch(self, request: Request, call_next) -> Response:
         # Content Security Policy
         # This CSP is designed to work with the Admin UI while providing security
         # Dynamically set frame-ancestors based on X_FRAME_OPTIONS setting to stay consistent
-        if settings.x_frame_options is None:
-            # No X-Frame-Options configured, default to self
+        x_frame = str(settings.x_frame_options)
+        x_frame_upper = x_frame.upper()
+
+        if x_frame_upper == "DENY":
+            frame_ancestors = "'none'"
+        elif x_frame_upper == "SAMEORIGIN":
             frame_ancestors = "'self'"
+        elif x_frame_upper.startswith("ALLOW-FROM"):
+            allowed_uri = x_frame.split(" ", 1)[1] if " " in x_frame else "'none'"
+            frame_ancestors = allowed_uri
+        elif not x_frame:  # Empty string means allow all
+            frame_ancestors = "*"
         else:
-            x_frame = str(settings.x_frame_options)
-            x_frame_upper = x_frame.upper()
-
-            if x_frame_upper == "DENY":
-                frame_ancestors = "'none'"
-            elif x_frame_upper == "SAMEORIGIN":
-                frame_ancestors = "'self'"
-            elif x_frame_upper.startswith("ALLOW-FROM"):
-                allowed_uri = x_frame.split(" ", 1)[1] if " " in x_frame else "'none'"
-                frame_ancestors = allowed_uri
-            elif not x_frame:  # Empty string means allow all
-                frame_ancestors = "*"
-            else:
-                # Default to self for unknown values
-                frame_ancestors = "'self'"
+            # Default to none for unknown values (matches DENY default)
+            frame_ancestors = "'none'"
 
         csp_directives = [
             "default-src 'self'",