Merge branch 'frame-player-cors' into dev

This commit is contained in:
daniel-c-harvey
2026-06-07 17:19:38 -04:00
2 changed files with 29 additions and 0 deletions
@@ -5,6 +5,7 @@
@page "/FramePlayer"
@layout EmbedLayout
@rendermode InteractiveWebAssembly
<AudioPlayerBar Fixed />
+28
View File
@@ -24,6 +24,11 @@ Startup.ConfigureDomainServices(builder);
// Add services to the container.
builder.Services.AddControllers();
builder.Services.AddCors(options =>
{
options.AddPolicy("FramePlayerEmbedPolicy", policy =>
policy.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod());
});
builder.Services.AddRazorComponents()
.AddInteractiveServerComponents()
.AddInteractiveWebAssemblyComponents();
@@ -72,6 +77,29 @@ else
}
}
// CORS policy registered for hygiene and potential direct cross-origin API consumers.
// The FramePlayer embed use case does not require this: WASM inside a cross-site iframe
// fetches to the same deepdrft.com origin, so all API calls are same-origin.
app.UseCors("FramePlayerEmbedPolicy");
// For requests to /FramePlayer, remove any X-Frame-Options header and set a permissive
// frame-ancestors CSP so the page can be embedded in iframes on any external domain.
// OnStarting fires just before headers are flushed, ensuring this overrides headers set
// by other middleware (e.g. HSTS, reverse proxy).
app.Use(async (context, next) =>
{
if (context.Request.Path.StartsWithSegments("/FramePlayer", StringComparison.OrdinalIgnoreCase))
{
context.Response.OnStarting(() =>
{
context.Response.Headers.Remove("X-Frame-Options");
context.Response.Headers["Content-Security-Policy"] = "frame-ancestors *";
return Task.CompletedTask;
});
}
await next();
});
// Antiforgery is required by Blazor form handling. Authentication / authorization
// middleware is intentionally absent — this host is fully anonymous.
app.UseAntiforgery();