diff --git a/DeepDrftPublic.Client/Pages/FramePlayer.razor b/DeepDrftPublic.Client/Pages/FramePlayer.razor index 177c406..24b1ab6 100644 --- a/DeepDrftPublic.Client/Pages/FramePlayer.razor +++ b/DeepDrftPublic.Client/Pages/FramePlayer.razor @@ -5,6 +5,7 @@ @page "/FramePlayer" @layout EmbedLayout +@rendermode InteractiveWebAssembly diff --git a/DeepDrftPublic/Program.cs b/DeepDrftPublic/Program.cs index dff19a3..8add77d 100644 --- a/DeepDrftPublic/Program.cs +++ b/DeepDrftPublic/Program.cs @@ -24,6 +24,11 @@ Startup.ConfigureDomainServices(builder); // Add services to the container. builder.Services.AddControllers(); +builder.Services.AddCors(options => +{ + options.AddPolicy("FramePlayerEmbedPolicy", policy => + policy.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod()); +}); builder.Services.AddRazorComponents() .AddInteractiveServerComponents() .AddInteractiveWebAssemblyComponents(); @@ -72,6 +77,29 @@ else } } +// CORS policy registered for hygiene and potential direct cross-origin API consumers. +// The FramePlayer embed use case does not require this: WASM inside a cross-site iframe +// fetches to the same deepdrft.com origin, so all API calls are same-origin. +app.UseCors("FramePlayerEmbedPolicy"); + +// For requests to /FramePlayer, remove any X-Frame-Options header and set a permissive +// frame-ancestors CSP so the page can be embedded in iframes on any external domain. +// OnStarting fires just before headers are flushed, ensuring this overrides headers set +// by other middleware (e.g. HSTS, reverse proxy). +app.Use(async (context, next) => +{ + if (context.Request.Path.StartsWithSegments("/FramePlayer", StringComparison.OrdinalIgnoreCase)) + { + context.Response.OnStarting(() => + { + context.Response.Headers.Remove("X-Frame-Options"); + context.Response.Headers["Content-Security-Policy"] = "frame-ancestors *"; + return Task.CompletedTask; + }); + } + await next(); +}); + // Antiforgery is required by Blazor form handling. Authentication / authorization // middleware is intentionally absent — this host is fully anonymous. app.UseAntiforgery();