From f9aaeb3a3448bc92cdab016f42709889115d9b31 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Sat, 23 Nov 2024 11:17:13 -0600
Subject: [PATCH] Update:Set Content-Security-Policy header to disallow iframes

---
 server/Server.js | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/server/Server.js b/server/Server.js
index e40e7c57..ae9746d8 100644
--- a/server/Server.js
+++ b/server/Server.js
@@ -194,18 +194,21 @@ class Server {
 
     const app = express()
 
-    /**
-     * @temporary
-     * This is necessary for the ebook & cover API endpoint in the mobile apps
-     * The mobile app ereader is using fetch api in Capacitor that is currently difficult to switch to native requests
-     * so we have to allow cors for specific origins to the /api/items/:id/ebook endpoint
-     * The cover image is fetched with XMLHttpRequest in the mobile apps to load into a canvas and extract colors
-     * @see https://ionicframework.com/docs/troubleshooting/cors
-     *
-     * Running in development allows cors to allow testing the mobile apps in the browser
-     * or env variable ALLOW_CORS = '1'
-     */
     app.use((req, res, next) => {
+      // Prevent clickjacking by disallowing iframes
+      res.setHeader('Content-Security-Policy', "frame-ancestors 'self'")
+
+      /**
+       * @temporary
+       * This is necessary for the ebook & cover API endpoint in the mobile apps
+       * The mobile app ereader is using fetch api in Capacitor that is currently difficult to switch to native requests
+       * so we have to allow cors for specific origins to the /api/items/:id/ebook endpoint
+       * The cover image is fetched with XMLHttpRequest in the mobile apps to load into a canvas and extract colors
+       * @see https://ionicframework.com/docs/troubleshooting/cors
+       *
+       * Running in development allows cors to allow testing the mobile apps in the browser
+       * or env variable ALLOW_CORS = '1'
+       */
       if (Logger.isDev || req.path.match(/\/api\/items\/([a-z0-9-]{36})\/(ebook|cover)(\/[0-9]+)?/)) {
         const allowedOrigins = ['capacitor://localhost', 'http://localhost']
         if (global.AllowCors || Logger.isDev || allowedOrigins.some((o) => o === req.get('origin'))) {