Ryan Malloy
fb70b39173
frame-ancestors * for /embed/* routes so any site can iframe notebooks. Remove postMessage origin allowlist (theme toggle is cosmetic-only). Add EmbedDialog popover with copy-paste iframe snippet and theme picker. Enable ltspice in the engine dropdown now that the backend supports it.
25 lines
694 B
TypeScript
25 lines
694 B
TypeScript
import { defineMiddleware } from 'astro:middleware';
|
|
|
|
// CSP frame-ancestors: controls which origins can embed this site in an iframe.
|
|
// /embed/* routes allow framing from any origin; the main app stays locked to 'self'.
|
|
const FRAME_ANCESTORS = '*';
|
|
|
|
export const onRequest = defineMiddleware(async ({ url }, next) => {
|
|
const response = await next();
|
|
|
|
if (url.pathname.startsWith('/embed/')) {
|
|
response.headers.set(
|
|
'Content-Security-Policy',
|
|
`frame-ancestors ${FRAME_ANCESTORS}`,
|
|
);
|
|
} else {
|
|
// Prevent framing of the main app entirely
|
|
response.headers.set(
|
|
'Content-Security-Policy',
|
|
"frame-ancestors 'self'",
|
|
);
|
|
}
|
|
|
|
return response;
|
|
});
|