wassname/talk
1
0
Fork 0
mirror of https://github.com/wassname/talk.git synced 2026-06-27 19:17:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: add 'self' to the frame-ancestors directive (#3018)

Browse Source
This commit is contained in:
Wyatt Johnson
2020-07-15 18:47:07 +00:00
committed by GitHub
parent 5c863f1307
commit d43fbe357a
1 changed files with 4 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/core/server/app/middleware/csp/tenant.ts
+4 -8
View File
@@ -102,16 +102,12 @@ export const cspSiteMiddleware = ({ mongo }: Options): RequestHandler => async (
};
function generateContentSecurityPolicy(allowedOrigins: string[]) {
const directives: Record<string, any> = {};
// Only the domains that are allowed by the tenant may embed Coral.
directives.frameAncestors =
allowedOrigins.length > 0 ? allowedOrigins : ["'none'"];
const frameAncestors =
allowedOrigins.length > 0 ? ["'self'", ...allowedOrigins] : ["'none'"];
// Build the directive.
const directive = builder({ directives });
return directive;
// Build and return the directive.
return builder({ directives: { frameAncestors } });
}
export function generateFrameOptions(req: Request, allowedOrigins: string[]) {