Skip to content

Commit

Permalink
Add CSP header to allow only specific domains set in the project owne…
Browse files Browse the repository at this point in the history 
…r settings
  • Loading branch information
@denishov
denishov committed Jan 28, 2024
1 parent 19fb533 commit 4495c57
Showing 1 changed file with 3 additions and 13 deletions.
16 changes: 3 additions & 13 deletions controller/project/project.controller.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -727,19 +727,9 @@ const embed = async function (req, res) {
return;
}

const {referer} = req.headers;
let isEmbeddingDisallowed = true;

if (referer) {
const refererURL = new URL(req.headers.referer);
const user = await req.db.get('user').findOne({ nickname: json.owner });
const disallowedDomains = user.authorizedHostsForEmbedding ? user.authorizedHostsForEmbedding.split('\n') : [];
isEmbeddingDisallowed = disallowedDomains.includes(refererURL.host);
}

if (isEmbeddingDisallowed) {
return res.status(403).send('Not authorized to embed this project');
}
const user = await req.db.get('user').findOne({ nickname: json.owner });
const allowedDomains = user.authorizedHostsForEmbedding ? user.authorizedHostsForEmbedding.split('\n').join(' ') : 'none';
res.header('Content-Security-Policy', `frame-ancestors ${allowedDomains}`);

json.files.list = [];
res.render('embed', {
Expand Down

0 comments on commit 4495c57

Please sign in to comment.