lashman/echoboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

allow embed assets to load in iframes, use unicode domain for invite links

Browse Source
This commit is contained in:
lashman
2026-03-22 18:02:49 +02:00
parent 9c02623655
commit d88fd52fbe
2 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/api/src/middleware/security.ts
View File

@@ -4,8 +4,9 @@ import fp from "fastify-plugin";
async function securityPlugin(app: FastifyInstance) {
app.addHook("onSend", async (req, reply) => {
const isEmbed = req.url.startsWith("/api/v1/embed/") || req.url.startsWith("/embed/");
const isAsset = req.url.startsWith("/assets/") || req.url.startsWith("/favicon") || req.url.startsWith("/icon-") || req.url.endsWith(".js") || req.url.endsWith(".css");
if (isEmbed) {
if (isEmbed || isAsset) {
// embed routes need to be frameable by third-party sites
reply.header("Content-Security-Policy", [
"default-src 'self'",