Spaces:
Sleeping
Sleeping
tao-shen commited on
Commit Β·
1469692
1
Parent(s): 265a06f
fix: disable auth (mode:none) + patch CSP frame-ancestors for HF iframe embedding
Browse files- Dockerfile +6 -4
- openclaw.json +1 -1
- patches/hf-spaces-allow-iframe-embedding.patch +27 -0
- scripts/entrypoint.sh +0 -7
- scripts/sync_hf.py +1 -1
Dockerfile
CHANGED
|
@@ -27,10 +27,12 @@ RUN echo "[build][layer2] Clone + install + build..." && START=$(date +%s) \
|
|
| 27 |
&& git clone --depth 1 https://github.com/openclaw/openclaw.git openclaw \
|
| 28 |
&& echo "[build] git clone: $(($(date +%s) - START))s" \
|
| 29 |
&& cd openclaw \
|
| 30 |
-
&&
|
| 31 |
-
|
| 32 |
-
|
| 33 |
-
|
|
|
|
|
|
|
| 34 |
&& T1=$(date +%s) \
|
| 35 |
&& pnpm install --frozen-lockfile \
|
| 36 |
&& echo "[build] pnpm install: $(($(date +%s) - T1))s" \
|
|
|
|
| 27 |
&& git clone --depth 1 https://github.com/openclaw/openclaw.git openclaw \
|
| 28 |
&& echo "[build] git clone: $(($(date +%s) - START))s" \
|
| 29 |
&& cd openclaw \
|
| 30 |
+
&& for p in /app/patches/*.patch; do \
|
| 31 |
+
if [ -f "$p" ]; then \
|
| 32 |
+
patch -p1 < "$p" \
|
| 33 |
+
&& echo "[build] patch applied: $(basename $p)"; \
|
| 34 |
+
fi; \
|
| 35 |
+
done \
|
| 36 |
&& T1=$(date +%s) \
|
| 37 |
&& pnpm install --frozen-lockfile \
|
| 38 |
&& echo "[build] pnpm install: $(($(date +%s) - T1))s" \
|
openclaw.json
CHANGED
|
@@ -3,7 +3,7 @@
|
|
| 3 |
"mode": "local",
|
| 4 |
"bind": "lan",
|
| 5 |
"port": 7860,
|
| 6 |
-
"auth": {},
|
| 7 |
"trustedProxies": [
|
| 8 |
"0.0.0.0/0"
|
| 9 |
],
|
|
|
|
| 3 |
"mode": "local",
|
| 4 |
"bind": "lan",
|
| 5 |
"port": 7860,
|
| 6 |
+
"auth": { "mode": "none" },
|
| 7 |
"trustedProxies": [
|
| 8 |
"0.0.0.0/0"
|
| 9 |
],
|
patches/hf-spaces-allow-iframe-embedding.patch
ADDED
|
@@ -0,0 +1,27 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
diff --git a/src/gateway/control-ui-csp.ts b/src/gateway/control-ui-csp.ts
|
| 2 |
+
index 8a7b56f..112b1c2 100644
|
| 3 |
+
--- a/src/gateway/control-ui-csp.ts
|
| 4 |
+
+++ b/src/gateway/control-ui-csp.ts
|
| 5 |
+
@@ -7,7 +7,7 @@ export function buildControlUiCspHeader(): string {
|
| 6 |
+
"default-src 'self'",
|
| 7 |
+
"base-uri 'none'",
|
| 8 |
+
"object-src 'none'",
|
| 9 |
+
- "frame-ancestors 'none'",
|
| 10 |
+
+ "frame-ancestors 'self' https://huggingface.co https://*.hf.space",
|
| 11 |
+
"script-src 'self'",
|
| 12 |
+
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
|
| 13 |
+
"img-src 'self' data: https:",
|
| 14 |
+
diff --git a/src/gateway/control-ui.ts b/src/gateway/control-ui.ts
|
| 15 |
+
index ed7b733..7cc0ab9 100644
|
| 16 |
+
--- a/src/gateway/control-ui.ts
|
| 17 |
+
+++ b/src/gateway/control-ui.ts
|
| 18 |
+
@@ -98,7 +98,8 @@ type ControlUiAvatarMeta = {
|
| 19 |
+
};
|
| 20 |
+
|
| 21 |
+
function applyControlUiSecurityHeaders(res: ServerResponse) {
|
| 22 |
+
- res.setHeader("X-Frame-Options", "DENY");
|
| 23 |
+
+ // Allow embedding in HF Spaces iframes (X-Frame-Options removed, CSP frame-ancestors used instead)
|
| 24 |
+
+ // res.setHeader("X-Frame-Options", "DENY");
|
| 25 |
+
res.setHeader("Content-Security-Policy", buildControlUiCspHeader());
|
| 26 |
+
res.setHeader("X-Content-Type-Options", "nosniff");
|
| 27 |
+
res.setHeader("Referrer-Policy", "no-referrer");
|
scripts/entrypoint.sh
CHANGED
|
@@ -48,13 +48,6 @@ touch /home/node/logs/app.log
|
|
| 48 |
ENTRYPOINT_END=$(date +%s)
|
| 49 |
echo "[TIMER] Entrypoint (before sync_hf.py): $((ENTRYPOINT_END - BOOT_START))s"
|
| 50 |
|
| 51 |
-
# ββ Inject auto-token into Control UI (must happen at runtime, not build) ββββ
|
| 52 |
-
INJECT_START=$(date +%s)
|
| 53 |
-
if [ -x /home/node/scripts/inject-token.sh ]; then
|
| 54 |
-
OPENCLAW_APP_DIR=/app/openclaw bash /home/node/scripts/inject-token.sh
|
| 55 |
-
fi
|
| 56 |
-
echo "[TIMER] Token inject: $(($(date +%s) - INJECT_START))s"
|
| 57 |
-
|
| 58 |
# ββ Start OpenClaw via sync_hf.py (don't wait for DNS β it runs in bg) βββββ
|
| 59 |
echo "[entrypoint] Starting OpenClaw via sync_hf.py..."
|
| 60 |
echo "[entrypoint] DNS resolution running in background (PID $DNS_PID), app will use it when ready"
|
|
|
|
| 48 |
ENTRYPOINT_END=$(date +%s)
|
| 49 |
echo "[TIMER] Entrypoint (before sync_hf.py): $((ENTRYPOINT_END - BOOT_START))s"
|
| 50 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 51 |
# ββ Start OpenClaw via sync_hf.py (don't wait for DNS β it runs in bg) βββββ
|
| 52 |
echo "[entrypoint] Starting OpenClaw via sync_hf.py..."
|
| 53 |
echo "[entrypoint] DNS resolution running in background (PID $DNS_PID), app will use it when ready"
|
scripts/sync_hf.py
CHANGED
|
@@ -327,7 +327,7 @@ class OpenClawFullSync:
|
|
| 327 |
"mode": "local",
|
| 328 |
"bind": "lan",
|
| 329 |
"port": 7860,
|
| 330 |
-
"auth": {},
|
| 331 |
"trustedProxies": ["0.0.0.0/0"],
|
| 332 |
"controlUi": {
|
| 333 |
"allowInsecureAuth": True,
|
|
|
|
| 327 |
"mode": "local",
|
| 328 |
"bind": "lan",
|
| 329 |
"port": 7860,
|
| 330 |
+
"auth": {"mode": "none"},
|
| 331 |
"trustedProxies": ["0.0.0.0/0"],
|
| 332 |
"controlUi": {
|
| 333 |
"allowInsecureAuth": True,
|