import { defineMiddleware } from 'astro:middleware';

// CSP frame-ancestors: controls which origins can embed this site in an iframe.
// /embed/* routes allow framing from any origin; the main app stays locked to 'self'.
const FRAME_ANCESTORS = '*';

export const onRequest = defineMiddleware(async ({ url }, next) => {
  const response = await next();

  if (url.pathname.startsWith('/embed/')) {
    response.headers.set(
      'Content-Security-Policy',
      `frame-ancestors ${FRAME_ANCESTORS}`,
    );
  } else {
    // Prevent framing of the main app entirely
    response.headers.set(
      'Content-Security-Policy',
      "frame-ancestors 'self'",
    );
  }

  return response;
});