This commit is contained in:
dekun
2026-05-30 15:40:43 +08:00
parent 0a42bd4de9
commit 1f8d2e64e7
4 changed files with 92 additions and 0 deletions
+34
View File
@@ -0,0 +1,34 @@
"""允许本地导航(LocalNav)iframe 内嵌本服务。环境变量 NAV_ALLOW_EMBED / NAV_EMBED_ORIGINS。"""
from __future__ import annotations
import os
def nav_embed_allowed() -> bool:
return (os.getenv("NAV_ALLOW_EMBED") or "true").strip().lower() in (
"1",
"true",
"yes",
"on",
)
def nav_embed_origins() -> str:
return (os.getenv("NAV_EMBED_ORIGINS") or "*").strip() or "*"
def install_nav_embed(app) -> None:
if not nav_embed_allowed():
return
origins = nav_embed_origins()
@app.middleware("http")
async def _nav_embed_frame_headers(request, call_next):
response = await call_next(request)
if origins == "*":
response.headers["Content-Security-Policy"] = "frame-ancestors *"
else:
parts = " ".join(o.strip() for o in origins.split(",") if o.strip())
response.headers["Content-Security-Policy"] = f"frame-ancestors 'self' {parts}"
return response