Mirrors/audiobookshelf
Mirrors/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2024-12-20 19:06:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update:Set Content-Security-Policy header to disallow iframes

Browse Source
This commit is contained in:
advplyr 2024-11-23 11:17:13 -06:00
parent d19bb909b3
commit f9aaeb3a34
1 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/Server.js
View File

@ -194,6 +194,10 @@ class Server {
const app = express() const app = express()
app.use((req, res, next) => {
// Prevent clickjacking by disallowing iframes
res.setHeader('Content-Security-Policy', "frame-ancestors 'self'")
/** /**
* @temporary * @temporary
* This is necessary for the ebook & cover API endpoint in the mobile apps * This is necessary for the ebook & cover API endpoint in the mobile apps
@ -205,7 +209,6 @@ class Server {
* Running in development allows cors to allow testing the mobile apps in the browser * Running in development allows cors to allow testing the mobile apps in the browser
* or env variable ALLOW_CORS = '1' * or env variable ALLOW_CORS = '1'
*/ */
app.use((req, res, next) => {
if (Logger.isDev || req.path.match(/\/api\/items\/([a-z0-9-]{36})\/(ebook|cover)(\/[0-9]+)?/)) { if (Logger.isDev || req.path.match(/\/api\/items\/([a-z0-9-]{36})\/(ebook|cover)(\/[0-9]+)?/)) {
const allowedOrigins = ['capacitor://localhost', 'http://localhost'] const allowedOrigins = ['capacitor://localhost', 'http://localhost']
if (global.AllowCors || Logger.isDev || allowedOrigins.some((o) => o === req.get('origin'))) { if (global.AllowCors || Logger.isDev || allowedOrigins.some((o) => o === req.get('origin'))) {