From 92cf6d153e578149c9791193feafea4102e63e7f Mon Sep 17 00:00:00 2001 From: denishov Date: Sun, 28 Jan 2024 20:55:22 +0100 Subject: [PATCH] Add CSP header to allow embedding only by specific domains set in the project owner settings --- controller/project/project.controller.js | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/controller/project/project.controller.js b/controller/project/project.controller.js index e7954713..f20c8197 100644 --- a/controller/project/project.controller.js +++ b/controller/project/project.controller.js @@ -727,19 +727,9 @@ const embed = async function (req, res) { return; } - const {referer} = req.headers; - let isEmbeddingDisallowed = true; - - if (referer) { - const refererURL = new URL(req.headers.referer); - const user = await req.db.get('user').findOne({ nickname: json.owner }); - const disallowedDomains = user.authorizedHostsForEmbedding ? user.authorizedHostsForEmbedding.split('\n') : []; - isEmbeddingDisallowed = disallowedDomains.includes(refererURL.host); - } - - if (isEmbeddingDisallowed) { - return res.status(403).send('Not authorized to embed this project'); - } + const user = await req.db.get('user').findOne({ nickname: json.owner }); + const allowedDomains = user.authorizedHostsForEmbedding ? user.authorizedHostsForEmbedding.split('\n').join(' ') : 'none'; + res.header('Content-Security-Policy', `frame-ancestors ${allowedDomains}`); json.files.list = []; res.render('embed', {