Fixed
<meta http-equiv="Content-Security-Policy">tags are now stripped from proxied HTML responses -- apps like Mealie (Nuxt) that embed CSP with nonces in the HTML body no longer block the injected interceptor scriptPermissions-Policyresponse header is now stripped from proxied responses -- prevents apps from restricting features like clipboard, fullscreen, and autoplay inside the iframe- Iframe sandbox now includes
allow-popups-to-escape-sandbox-- OAuth and login popups opened by proxied apps can function without sandbox restrictions