From ef7f306aa34f567079103b4fa3d1cd5eeea968af Mon Sep 17 00:00:00 2001 From: Venkata Chandra Sekhar Nainala Date: Thu, 4 Jan 2024 09:46:39 +0000 Subject: [PATCH] fix: ancestor header issue fix - allowing all domain iframe src embed --- app/Http/Middleware/XFrameOptions.php | 16 ++-------------- resources/ops/docker/nginx/vhost.conf | 1 + 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/app/Http/Middleware/XFrameOptions.php b/app/Http/Middleware/XFrameOptions.php index 51757062..de7ce4b6 100644 --- a/app/Http/Middleware/XFrameOptions.php +++ b/app/Http/Middleware/XFrameOptions.php @@ -17,22 +17,10 @@ public function handle(Request $request, Closure $next): Response { $response = $next($request); - $option = 'SAMEORIGIN'; - if ($request->route()->getName() == 'embed') { - $xframeOptions = env('X_FRAME_OPTIONS', $option); - if ($xframeOptions) { - $host = $request->getHttpHost(); - $xframeOptions = str_replace('*', $host, $xframeOptions); - if (strpos($xframeOptions, 'ALLOW-FROM') !== false) { - $url = trim(str_replace('ALLOW-FROM', '', $xframeOptions)); - $response->header('Content-Security-Policy', 'frame-ancestors '.$url); - } - } - } else { - $xframeOptions = $option; + $response->header('Content-Security-Policy', 'frame-ancestors frame-src data: blob: *'); } - return $response->header('X-Frame-Options', $xframeOptions); + return $response; } } diff --git a/resources/ops/docker/nginx/vhost.conf b/resources/ops/docker/nginx/vhost.conf index 71e5c6f3..53050a03 100644 --- a/resources/ops/docker/nginx/vhost.conf +++ b/resources/ops/docker/nginx/vhost.conf @@ -8,6 +8,7 @@ server { client_max_body_size 200m; + add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff";