feat: allow /FramePlayer to be embedded in external iframes via CORS + CSP frame-ancestors
This commit is contained in:
@@ -24,6 +24,11 @@ Startup.ConfigureDomainServices(builder);
|
|||||||
|
|
||||||
// Add services to the container.
|
// Add services to the container.
|
||||||
builder.Services.AddControllers();
|
builder.Services.AddControllers();
|
||||||
|
builder.Services.AddCors(options =>
|
||||||
|
{
|
||||||
|
options.AddPolicy("FramePlayerEmbedPolicy", policy =>
|
||||||
|
policy.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod());
|
||||||
|
});
|
||||||
builder.Services.AddRazorComponents()
|
builder.Services.AddRazorComponents()
|
||||||
.AddInteractiveServerComponents()
|
.AddInteractiveServerComponents()
|
||||||
.AddInteractiveWebAssemblyComponents();
|
.AddInteractiveWebAssemblyComponents();
|
||||||
@@ -72,6 +77,26 @@ else
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
app.UseCors("FramePlayerEmbedPolicy");
|
||||||
|
|
||||||
|
// For requests to /FramePlayer, remove any X-Frame-Options header and set a permissive
|
||||||
|
// frame-ancestors CSP so the page can be embedded in iframes on any external domain.
|
||||||
|
// OnStarting fires just before headers are flushed, ensuring this overrides headers set
|
||||||
|
// by other middleware (e.g. HSTS, reverse proxy).
|
||||||
|
app.Use(async (context, next) =>
|
||||||
|
{
|
||||||
|
if (context.Request.Path.StartsWithSegments("/FramePlayer", StringComparison.OrdinalIgnoreCase))
|
||||||
|
{
|
||||||
|
context.Response.OnStarting(() =>
|
||||||
|
{
|
||||||
|
context.Response.Headers.Remove("X-Frame-Options");
|
||||||
|
context.Response.Headers["Content-Security-Policy"] = "frame-ancestors *";
|
||||||
|
return Task.CompletedTask;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
await next();
|
||||||
|
});
|
||||||
|
|
||||||
// Antiforgery is required by Blazor form handling. Authentication / authorization
|
// Antiforgery is required by Blazor form handling. Authentication / authorization
|
||||||
// middleware is intentionally absent — this host is fully anonymous.
|
// middleware is intentionally absent — this host is fully anonymous.
|
||||||
app.UseAntiforgery();
|
app.UseAntiforgery();
|
||||||
|
|||||||
Reference in New Issue
Block a user