feat: allow /FramePlayer to be embedded in external iframes via CORS + CSP frame-ancestors
This commit is contained in:
@@ -24,6 +24,11 @@ Startup.ConfigureDomainServices(builder);
|
||||
|
||||
// Add services to the container.
|
||||
builder.Services.AddControllers();
|
||||
builder.Services.AddCors(options =>
|
||||
{
|
||||
options.AddPolicy("FramePlayerEmbedPolicy", policy =>
|
||||
policy.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod());
|
||||
});
|
||||
builder.Services.AddRazorComponents()
|
||||
.AddInteractiveServerComponents()
|
||||
.AddInteractiveWebAssemblyComponents();
|
||||
@@ -72,6 +77,26 @@ else
|
||||
}
|
||||
}
|
||||
|
||||
app.UseCors("FramePlayerEmbedPolicy");
|
||||
|
||||
// For requests to /FramePlayer, remove any X-Frame-Options header and set a permissive
|
||||
// frame-ancestors CSP so the page can be embedded in iframes on any external domain.
|
||||
// OnStarting fires just before headers are flushed, ensuring this overrides headers set
|
||||
// by other middleware (e.g. HSTS, reverse proxy).
|
||||
app.Use(async (context, next) =>
|
||||
{
|
||||
if (context.Request.Path.StartsWithSegments("/FramePlayer", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
context.Response.OnStarting(() =>
|
||||
{
|
||||
context.Response.Headers.Remove("X-Frame-Options");
|
||||
context.Response.Headers["Content-Security-Policy"] = "frame-ancestors *";
|
||||
return Task.CompletedTask;
|
||||
});
|
||||
}
|
||||
await next();
|
||||
});
|
||||
|
||||
// Antiforgery is required by Blazor form handling. Authentication / authorization
|
||||
// middleware is intentionally absent — this host is fully anonymous.
|
||||
app.UseAntiforgery();
|
||||
|
||||
Reference in New Issue
Block a user