feat: restrict iframe embedding to huggingface.co
Browse filesWhen ALLOW_IFRAME=true, instead of allowing all origins, now specifically
allows embedding only from https://huggingface.co and 'self'.
This enables embedding the chat UI on pages like huggingface.co/papers
while maintaining security by blocking embedding from other origins.
- src/hooks.server.ts +7 -2
- svelte.config.js +2 -1
src/hooks.server.ts
CHANGED
|
@@ -284,8 +284,13 @@ export const handle: Handle = async ({ event, resolve }) => {
|
|
| 284 |
// Update request context with status code
|
| 285 |
updateRequestContext({ statusCode: response.status });
|
| 286 |
|
| 287 |
-
// Add CSP header to
|
| 288 |
-
if (config.ALLOW_IFRAME
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 289 |
response.headers.append("Content-Security-Policy", "frame-ancestors 'none';");
|
| 290 |
}
|
| 291 |
|
|
|
|
| 284 |
// Update request context with status code
|
| 285 |
updateRequestContext({ statusCode: response.status });
|
| 286 |
|
| 287 |
+
// Add CSP header to control iframe embedding
|
| 288 |
+
if (config.ALLOW_IFRAME === "true") {
|
| 289 |
+
response.headers.append(
|
| 290 |
+
"Content-Security-Policy",
|
| 291 |
+
"frame-ancestors 'self' https://huggingface.co;"
|
| 292 |
+
);
|
| 293 |
+
} else {
|
| 294 |
response.headers.append("Content-Security-Policy", "frame-ancestors 'none';");
|
| 295 |
}
|
| 296 |
|
svelte.config.js
CHANGED
|
@@ -37,7 +37,8 @@ const config = {
|
|
| 37 |
},
|
| 38 |
csp: {
|
| 39 |
directives: {
|
| 40 |
-
|
|
|
|
| 41 |
},
|
| 42 |
},
|
| 43 |
alias: {
|
|
|
|
| 37 |
},
|
| 38 |
csp: {
|
| 39 |
directives: {
|
| 40 |
+
"frame-ancestors":
|
| 41 |
+
process.env.ALLOW_IFRAME === "true" ? ["'self'", "https://huggingface.co"] : ["'none'"],
|
| 42 |
},
|
| 43 |
},
|
| 44 |
alias: {
|