From a430284aa21e3ae1f0d5654e55b2ad2852519cc2 Mon Sep 17 00:00:00 2001
From: wwf <yearningwang@iqtogether.com>
Date: 星期三, 04 六月 2025 15:17:49 +0800
Subject: [PATCH] 初始化
---
middleware.ts | 28 +++++++++-------------------
1 files changed, 9 insertions(+), 19 deletions(-)
diff --git a/middleware.ts b/middleware.ts
index ac01694..e0f8f37 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -3,26 +3,10 @@
const NECESSARY_DOMAIN = '*.sentry.io http://localhost:* http://127.0.0.1:* https://analytics.google.com googletagmanager.com *.googletagmanager.com https://www.google-analytics.com https://api.github.com'
-const wrapResponseWithXFrameOptions = (response: NextResponse, pathname: string) => {
- // prevent clickjacking: https://owasp.org/www-community/attacks/Clickjacking
- // Chatbot page should be allowed to be embedded in iframe. It's a feature
- if (process.env.NEXT_PUBLIC_ALLOW_EMBED !== 'true' && !pathname.startsWith('/chat') && !pathname.startsWith('/workflow') && !pathname.startsWith('/completion'))
- response.headers.set('X-Frame-Options', 'DENY')
-
- return response
-}
export function middleware(request: NextRequest) {
- const { pathname } = request.nextUrl
- const requestHeaders = new Headers(request.headers)
- const response = NextResponse.next({
- request: {
- headers: requestHeaders,
- },
- })
-
const isWhiteListEnabled = !!process.env.NEXT_PUBLIC_CSP_WHITELIST && process.env.NODE_ENV === 'production'
if (!isWhiteListEnabled)
- return wrapResponseWithXFrameOptions(response, pathname)
+ return NextResponse.next()
const whiteList = `${process.env.NEXT_PUBLIC_CSP_WHITELIST} ${NECESSARY_DOMAIN}`
const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
@@ -37,7 +21,7 @@
style-src 'self' 'unsafe-inline' ${scheme_source} ${whiteList};
worker-src 'self' ${scheme_source} ${csp} ${whiteList};
media-src 'self' ${scheme_source} ${csp} ${whiteList};
- img-src * data:;
+ img-src 'self' ${scheme_source} ${csp} ${whiteList};
font-src 'self';
object-src 'none';
base-uri 'self';
@@ -49,6 +33,7 @@
.replace(/\s{2,}/g, ' ')
.trim()
+ const requestHeaders = new Headers(request.headers)
requestHeaders.set('x-nonce', nonce)
requestHeaders.set(
@@ -56,12 +41,17 @@
contentSecurityPolicyHeaderValue,
)
+ const response = NextResponse.next({
+ request: {
+ headers: requestHeaders,
+ },
+ })
response.headers.set(
'Content-Security-Policy',
contentSecurityPolicyHeaderValue,
)
- return wrapResponseWithXFrameOptions(response, pathname)
+ return response
}
export const config = {
--
Gitblit v1.8.0