From 552e174b0d5895a19915dd7234d30f475a9e96a1 Mon Sep 17 00:00:00 2001 From: Dan Zajdband Date: Mon, 28 Nov 2016 14:23:22 -0500 Subject: [PATCH 1/2] fix(embed): Disabled framing middleware enabling placing the comment box in third-party sites. In the future we will count with a whitelist so we can adjust the middleware --- app.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/app.js b/app.js index 8008cb01e..48ede6e63 100644 --- a/app.js +++ b/app.js @@ -22,7 +22,10 @@ if (app.get('env') !== 'test') { //============================================================================== app.set('trust proxy', 1); -app.use(helmet()); +// We disable frameward on helmet to allow crossdomain injection of the embed +app.use(helmet({ + frameguard: false +})); app.use(bodyParser.json()); app.use('/client', express.static(path.join(__dirname, 'dist'))); app.set('views', path.join(__dirname, 'views')); From f6e423e9455a7786c499da1036b13c5d50d86d03 Mon Sep 17 00:00:00 2001 From: Dan Zajdband Date: Mon, 28 Nov 2016 15:09:26 -0500 Subject: [PATCH 2/2] Fixed linting issues --- app.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app.js b/app.js index 48ede6e63..a30d1a202 100644 --- a/app.js +++ b/app.js @@ -24,7 +24,7 @@ if (app.get('env') !== 'test') { app.set('trust proxy', 1); // We disable frameward on helmet to allow crossdomain injection of the embed app.use(helmet({ - frameguard: false + frameguard: false })); app.use(bodyParser.json()); app.use('/client', express.static(path.join(__dirname, 'dist')));