import { defineMiddleware } from 'astro:middleware';

// CSP frame-ancestors: controls which origins can embed this site in an iframe.
// Only applied to /embed/* routes (the main app doesn't need to be framed).
const FRAME_ANCESTORS = "'self' https://forrest.warehack.ing";

export const onRequest = defineMiddleware(async ({ url }, next) => {
  const response = await next();

  if (url.pathname.startsWith('/embed/')) {
    response.headers.set(
      'Content-Security-Policy',
      `frame-ancestors ${FRAME_ANCESTORS}`,
    );
  } else {
    // Prevent framing of the main app entirely
    response.headers.set(
      'Content-Security-Policy',
      "frame-ancestors 'self'",
    );
  }

  return response;
});