diff --git a/server/Server.js b/server/Server.js index e40e7c57..ae9746d8 100644 --- a/server/Server.js +++ b/server/Server.js @@ -194,18 +194,21 @@ class Server { const app = express() - /** - * @temporary - * This is necessary for the ebook & cover API endpoint in the mobile apps - * The mobile app ereader is using fetch api in Capacitor that is currently difficult to switch to native requests - * so we have to allow cors for specific origins to the /api/items/:id/ebook endpoint - * The cover image is fetched with XMLHttpRequest in the mobile apps to load into a canvas and extract colors - * @see https://ionicframework.com/docs/troubleshooting/cors - * - * Running in development allows cors to allow testing the mobile apps in the browser - * or env variable ALLOW_CORS = '1' - */ app.use((req, res, next) => { + // Prevent clickjacking by disallowing iframes + res.setHeader('Content-Security-Policy', "frame-ancestors 'self'") + + /** + * @temporary + * This is necessary for the ebook & cover API endpoint in the mobile apps + * The mobile app ereader is using fetch api in Capacitor that is currently difficult to switch to native requests + * so we have to allow cors for specific origins to the /api/items/:id/ebook endpoint + * The cover image is fetched with XMLHttpRequest in the mobile apps to load into a canvas and extract colors + * @see https://ionicframework.com/docs/troubleshooting/cors + * + * Running in development allows cors to allow testing the mobile apps in the browser + * or env variable ALLOW_CORS = '1' + */ if (Logger.isDev || req.path.match(/\/api\/items\/([a-z0-9-]{36})\/(ebook|cover)(\/[0-9]+)?/)) { const allowedOrigins = ['capacitor://localhost', 'http://localhost'] if (global.AllowCors || Logger.isDev || allowedOrigins.some((o) => o === req.get('origin'))) {