Allow embedding of share page.

2025-12-06 01:18:00 +01:00 · 2023-11-11 20:45:09 -08:00 · 2023-11-11 20:45:09 -08:00 · eda2c07ea3
commit eda2c07ea3
parent 9cb6046844
10 changed files with 58 additions and 39 deletions
--- a/next.config.js
+++ b/next.config.js
@ -3,29 +3,32 @@ require('dotenv').config();
 const path = require('path');
 const pkg = require('./package.json');

-const contentSecurityPolicy = `
-  default-src 'self';
-  img-src *;
-  script-src 'self' 'unsafe-eval' 'unsafe-inline';
-  style-src 'self' 'unsafe-inline';
-  connect-src 'self' api.umami.is;
-  frame-ancestors 'self' ${process.env.ALLOWED_FRAME_URLS};
-`;
+const contentSecurityPolicy = [
+  `default-src 'self'`,
+  `img-src *`,
+  `script-src 'self' 'unsafe-eval' 'unsafe-inline'`,
+  `style-src 'self' 'unsafe-inline'`,
+  `connect-src 'self' api.umami.is`,
+];

 const headers = [
  {
    key: 'X-DNS-Prefetch-Control',
    value: 'on',
  },
-  {
+  !process.env.ALLOWED_FRAME_URLS && {
    key: 'X-Frame-Options',
    value: 'SAMEORIGIN',
  },
-  {
-    key: 'Content-Security-Policy',
-    value: contentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
-  },
-];
+].filter(n => n);
+
+const cspHeader = (values = []) => ({
+  key: 'Content-Security-Policy',
+  value: [...contentSecurityPolicy, ...values]
+    .join(';')
+    .replace(/\s{2,}/g, ' ')
+    .trim(),
+});

 if (process.env.FORCE_SSL) {
  headers.push({
@ -81,14 +84,13 @@ const config = {
  reactStrictMode: false,
  env: {
    basePath: basePath || '',
-    cloudMode: !!process.env.CLOUD_MODE,
-    cloudUrl: process.env.CLOUD_URL,
+    cloudMode: process.env.CLOUD_MODE || '',
+    cloudUrl: process.env.CLOUD_URL || '',
    configUrl: '/config',
    currentVersion: pkg.version,
-    defaultLocale: process.env.DEFAULT_LOCALE,
-    disableLogin: process.env.DISABLE_LOGIN,
-    disableUI: process.env.DISABLE_UI,
-    isProduction: process.env.NODE_ENV === 'production',
+    defaultLocale: process.env.DEFAULT_LOCALE || '',
+    disableLogin: process.env.DISABLE_LOGIN || '',
+    disableUI: process.env.DISABLE_UI || '',
  },
  basePath,
  output: 'standalone',
@ -125,7 +127,14 @@ const config = {
    return [
      {
        source: '/:path*',
-        headers,
+        headers: [
+          ...headers,
+          cspHeader([`frame-ancestors 'self' ${process.env.ALLOWED_FRAME_URLS || ''}`]),
+        ],
+      },
+      {
+        source: '/share/:path*',
+        headers: [...headers, cspHeader()],
      },
    ];
  },