修复
This commit is contained in:
@@ -0,0 +1,34 @@
|
||||
"""允许本地导航(LocalNav)iframe 内嵌本服务。环境变量 NAV_ALLOW_EMBED / NAV_EMBED_ORIGINS。"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
|
||||
|
||||
def nav_embed_allowed() -> bool:
|
||||
return (os.getenv("NAV_ALLOW_EMBED") or "true").strip().lower() in (
|
||||
"1",
|
||||
"true",
|
||||
"yes",
|
||||
"on",
|
||||
)
|
||||
|
||||
|
||||
def nav_embed_origins() -> str:
|
||||
return (os.getenv("NAV_EMBED_ORIGINS") or "*").strip() or "*"
|
||||
|
||||
|
||||
def install_nav_embed(app) -> None:
|
||||
if not nav_embed_allowed():
|
||||
return
|
||||
origins = nav_embed_origins()
|
||||
|
||||
@app.middleware("http")
|
||||
async def _nav_embed_frame_headers(request, call_next):
|
||||
response = await call_next(request)
|
||||
if origins == "*":
|
||||
response.headers["Content-Security-Policy"] = "frame-ancestors *"
|
||||
else:
|
||||
parts = " ".join(o.strip() for o in origins.split(",") if o.strip())
|
||||
response.headers["Content-Security-Policy"] = f"frame-ancestors 'self' {parts}"
|
||||
return response
|
||||
Reference in New Issue
Block a user