Update:Set Content-Security-Policy header to disallow iframes

server/Server.js

@@ -194,18 +194,21 @@ class Server {
 
     const app = express()
 
-    /**
-     * @temporary
-     * This is necessary for the ebook & cover API endpoint in the mobile apps
-     * The mobile app ereader is using fetch api in Capacitor that is currently difficult to switch to native requests
-     * so we have to allow cors for specific origins to the /api/items/:id/ebook endpoint
-     * The cover image is fetched with XMLHttpRequest in the mobile apps to load into a canvas and extract colors
-     * @see https://ionicframework.com/docs/troubleshooting/cors
-     *
-     * Running in development allows cors to allow testing the mobile apps in the browser
-     * or env variable ALLOW_CORS = '1'
-     */
     app.use((req, res, next) => {
+      // Prevent clickjacking by disallowing iframes
+      res.setHeader('Content-Security-Policy', "frame-ancestors 'self'")
+
+      /**
+       * @temporary
+       * This is necessary for the ebook & cover API endpoint in the mobile apps
+       * The mobile app ereader is using fetch api in Capacitor that is currently difficult to switch to native requests
+       * so we have to allow cors for specific origins to the /api/items/:id/ebook endpoint
+       * The cover image is fetched with XMLHttpRequest in the mobile apps to load into a canvas and extract colors
+       * @see https://ionicframework.com/docs/troubleshooting/cors
+       *
+       * Running in development allows cors to allow testing the mobile apps in the browser
+       * or env variable ALLOW_CORS = '1'
+       */
       if (Logger.isDev || req.path.match(/\/api\/items\/([a-z0-9-]{36})\/(ebook|cover)(\/[0-9]+)?/)) {
         const allowedOrigins = ['capacitor://localhost', 'http://localhost']
         if (global.AllowCors || Logger.isDev || allowedOrigins.some((o) => o === req.get('origin'))) {