Update:Set Content-Security-Policy header to disallow iframes

This commit is contained in:
advplyr 2024-11-23 11:17:13 -06:00
parent d19bb909b3
commit f9aaeb3a34

View File

@ -194,6 +194,10 @@ class Server {
const app = express()
app.use((req, res, next) => {
// Prevent clickjacking by disallowing iframes
res.setHeader('Content-Security-Policy', "frame-ancestors 'self'")
/**
* @temporary
* This is necessary for the ebook & cover API endpoint in the mobile apps
@ -205,7 +209,6 @@ class Server {
* Running in development allows cors to allow testing the mobile apps in the browser
* or env variable ALLOW_CORS = '1'
*/
app.use((req, res, next) => {
if (Logger.isDev || req.path.match(/\/api\/items\/([a-z0-9-]{36})\/(ebook|cover)(\/[0-9]+)?/)) {
const allowedOrigins = ['capacitor://localhost', 'http://localhost']
if (global.AllowCors || Logger.isDev || allowedOrigins.some((o) => o === req.get('origin'))) {