Spaces:
Sleeping
Sleeping
fix: apply iframe CSP fix before URL rewrite to prevent frame-ancestors 'none'
Browse filesThe writeHead wrapper that strips X-Frame-Options and fixes
frame-ancestors was placed after the URL rewrite code. When
req.url was rewritten and origEmit was called early, the iframe
fix was never applied, causing 'frame-ancestors none' to block
HF iframe embedding. Moved the fix to run immediately after the
port check, before any routing logic.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- scripts/token-redirect.cjs +15 -19
scripts/token-redirect.cjs
CHANGED
|
@@ -160,6 +160,21 @@ http.Server.prototype.emit = function (event, ...args) {
|
|
| 160 |
return origEmit.apply(this, [event, ...args]);
|
| 161 |
}
|
| 162 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 163 |
const parsed = url.parse(req.url, true);
|
| 164 |
const pathname = parsed.pathname;
|
| 165 |
|
|
@@ -225,25 +240,6 @@ http.Server.prototype.emit = function (event, ...args) {
|
|
| 225 |
}
|
| 226 |
}
|
| 227 |
|
| 228 |
-
// Fix iframe embedding on all responses
|
| 229 |
-
if (event === 'request') {
|
| 230 |
-
const [req, res] = args;
|
| 231 |
-
const origWriteHead = res.writeHead;
|
| 232 |
-
res.writeHead = function (statusCode, ...whArgs) {
|
| 233 |
-
// Remove X-Frame-Options to allow HF iframe embedding
|
| 234 |
-
if (res.getHeader) {
|
| 235 |
-
res.removeHeader('x-frame-options');
|
| 236 |
-
const csp = res.getHeader('content-security-policy');
|
| 237 |
-
if (csp && typeof csp === 'string') {
|
| 238 |
-
res.setHeader('content-security-policy',
|
| 239 |
-
csp.replace(/frame-ancestors\s+'none'/i,
|
| 240 |
-
"frame-ancestors 'self' https://huggingface.co https://*.hf.space"));
|
| 241 |
-
}
|
| 242 |
-
}
|
| 243 |
-
return origWriteHead.apply(this, [statusCode, ...whArgs]);
|
| 244 |
-
};
|
| 245 |
-
}
|
| 246 |
-
|
| 247 |
return origEmit.apply(this, [event, ...args]);
|
| 248 |
};
|
| 249 |
|
|
|
|
| 160 |
return origEmit.apply(this, [event, ...args]);
|
| 161 |
}
|
| 162 |
|
| 163 |
+
// Fix iframe embedding — must be applied BEFORE any early returns
|
| 164 |
+
const origWriteHead = res.writeHead;
|
| 165 |
+
res.writeHead = function (statusCode, ...whArgs) {
|
| 166 |
+
if (res.getHeader) {
|
| 167 |
+
res.removeHeader('x-frame-options');
|
| 168 |
+
const csp = res.getHeader('content-security-policy');
|
| 169 |
+
if (csp && typeof csp === 'string') {
|
| 170 |
+
res.setHeader('content-security-policy',
|
| 171 |
+
csp.replace(/frame-ancestors\s+'none'/i,
|
| 172 |
+
"frame-ancestors 'self' https://huggingface.co https://*.hf.space"));
|
| 173 |
+
}
|
| 174 |
+
}
|
| 175 |
+
return origWriteHead.apply(this, [statusCode, ...whArgs]);
|
| 176 |
+
};
|
| 177 |
+
|
| 178 |
const parsed = url.parse(req.url, true);
|
| 179 |
const pathname = parsed.pathname;
|
| 180 |
|
|
|
|
| 240 |
}
|
| 241 |
}
|
| 242 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 243 |
return origEmit.apply(this, [event, ...args]);
|
| 244 |
};
|
| 245 |
|