Merge branch 'frame-player-cors' into dev
This commit is contained in:
@@ -5,6 +5,7 @@
|
|||||||
|
|
||||||
@page "/FramePlayer"
|
@page "/FramePlayer"
|
||||||
@layout EmbedLayout
|
@layout EmbedLayout
|
||||||
|
@rendermode InteractiveWebAssembly
|
||||||
|
|
||||||
<AudioPlayerBar Fixed />
|
<AudioPlayerBar Fixed />
|
||||||
|
|
||||||
|
|||||||
@@ -24,6 +24,11 @@ Startup.ConfigureDomainServices(builder);
|
|||||||
|
|
||||||
// Add services to the container.
|
// Add services to the container.
|
||||||
builder.Services.AddControllers();
|
builder.Services.AddControllers();
|
||||||
|
builder.Services.AddCors(options =>
|
||||||
|
{
|
||||||
|
options.AddPolicy("FramePlayerEmbedPolicy", policy =>
|
||||||
|
policy.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod());
|
||||||
|
});
|
||||||
builder.Services.AddRazorComponents()
|
builder.Services.AddRazorComponents()
|
||||||
.AddInteractiveServerComponents()
|
.AddInteractiveServerComponents()
|
||||||
.AddInteractiveWebAssemblyComponents();
|
.AddInteractiveWebAssemblyComponents();
|
||||||
@@ -72,6 +77,29 @@ else
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// CORS policy registered for hygiene and potential direct cross-origin API consumers.
|
||||||
|
// The FramePlayer embed use case does not require this: WASM inside a cross-site iframe
|
||||||
|
// fetches to the same deepdrft.com origin, so all API calls are same-origin.
|
||||||
|
app.UseCors("FramePlayerEmbedPolicy");
|
||||||
|
|
||||||
|
// For requests to /FramePlayer, remove any X-Frame-Options header and set a permissive
|
||||||
|
// frame-ancestors CSP so the page can be embedded in iframes on any external domain.
|
||||||
|
// OnStarting fires just before headers are flushed, ensuring this overrides headers set
|
||||||
|
// by other middleware (e.g. HSTS, reverse proxy).
|
||||||
|
app.Use(async (context, next) =>
|
||||||
|
{
|
||||||
|
if (context.Request.Path.StartsWithSegments("/FramePlayer", StringComparison.OrdinalIgnoreCase))
|
||||||
|
{
|
||||||
|
context.Response.OnStarting(() =>
|
||||||
|
{
|
||||||
|
context.Response.Headers.Remove("X-Frame-Options");
|
||||||
|
context.Response.Headers["Content-Security-Policy"] = "frame-ancestors *";
|
||||||
|
return Task.CompletedTask;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
await next();
|
||||||
|
});
|
||||||
|
|
||||||
// Antiforgery is required by Blazor form handling. Authentication / authorization
|
// Antiforgery is required by Blazor form handling. Authentication / authorization
|
||||||
// middleware is intentionally absent — this host is fully anonymous.
|
// middleware is intentionally absent — this host is fully anonymous.
|
||||||
app.UseAntiforgery();
|
app.UseAntiforgery();
|
||||||
|
|||||||
Reference in New Issue
Block a user