AZEN-SGG/Kavita
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Nightly Issues (#2618)

Browse source
This commit is contained in:
Joe Milazzo 2024-01-18 08:35:54 -06:00 committed by GitHub
parent 0ff6d4a6fc
commit d145dca0e7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
28 changed files with 138 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

18
API/Startup.cs
View file

@ -349,16 +349,26 @@ public class Startup
opts.IncludeQueryInRequestPath = true;
});
var allowIframing = Configuration.AllowIFraming;
app.Use(async (context, next) =>
{
context.Response.Headers[HeaderNames.Vary] =
new[] { "Accept-Encoding" };
// Don't let the site be iframed outside the same origin (clickjacking)
context.Response.Headers.XFrameOptions = Configuration.XFrameOptions;
// Setup CSP to ensure we load assets only from these origins
context.Response.Headers.Add("Content-Security-Policy", "frame-ancestors 'none';");
if (!allowIframing)
{
// Don't let the site be iframed outside the same origin (clickjacking)
context.Response.Headers.XFrameOptions = "SAMEORIGIN";
// Setup CSP to ensure we load assets only from these origins
context.Response.Headers.Add("Content-Security-Policy", "frame-ancestors 'none';");
}
else
{
logger.LogCritical("appsetting.json has allow iframing on! This may allow for clickjacking on the server. User beware");
}
await next();
});