fix: 'X-Frame-Options' to 'sameorigin' fix

NFDI4Chem · Jan 4, 2024 · 0cf285b · 0cf285b
1 parent ffac34f
commit 0cf285b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/app/Http/Middleware/XFrameOptions.php b/app/Http/Middleware/XFrameOptions.php
@@ -18,9 +18,11 @@ public function handle(Request $request, Closure $next): Response
         $response = $next($request);
 
         if ($request->route()->getName() == 'embed') {
-            $response->header('Content-Security-Policy', "default-src 'self'; base-uri 'self'; block-all-mixed-content; frame-src data: blob: *; img-src 'self'; style-src 'unsafe-inline' *;");
-        }
+            return $response->header('Content-Security-Policy', "default-src 'self'; base-uri 'self'; block-all-mixed-content; frame-src data: blob: *; img-src 'self'; style-src 'unsafe-inline' *;");
+        } else {
+            $xframeOptions = 'SAMEORIGIN';
 
-        return $response;
+            return $response->header('X-Frame-Options', $xframeOptions);
+        }
     }
 }
diff --git a/resources/ops/docker/nginx/vhost.conf b/resources/ops/docker/nginx/vhost.conf
@@ -8,7 +8,6 @@ server {
 
     client_max_body_size 200m;
 
-    add_header X-Frame-Options "SAMEORIGIN";
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Content-Type-Options "nosniff";