35 lines
1002 B
Python
35 lines
1002 B
Python
"""允许本地导航(LocalNav)iframe 内嵌本服务。环境变量 NAV_ALLOW_EMBED / NAV_EMBED_ORIGINS。"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
|
|
|
|
def nav_embed_allowed() -> bool:
|
|
return (os.getenv("NAV_ALLOW_EMBED") or "true").strip().lower() in (
|
|
"1",
|
|
"true",
|
|
"yes",
|
|
"on",
|
|
)
|
|
|
|
|
|
def nav_embed_origins() -> str:
|
|
return (os.getenv("NAV_EMBED_ORIGINS") or "*").strip() or "*"
|
|
|
|
|
|
def install_nav_embed(app) -> None:
|
|
if not nav_embed_allowed():
|
|
return
|
|
origins = nav_embed_origins()
|
|
|
|
@app.middleware("http")
|
|
async def _nav_embed_frame_headers(request, call_next):
|
|
response = await call_next(request)
|
|
if origins == "*":
|
|
response.headers["Content-Security-Policy"] = "frame-ancestors *"
|
|
else:
|
|
parts = " ".join(o.strip() for o in origins.split(",") if o.strip())
|
|
response.headers["Content-Security-Policy"] = f"frame-ancestors 'self' {parts}"
|
|
return response
|