Ryan/documenso
1
0
Fork 1
mirror of https://github.com/documenso/documenso.git synced 2025-11-14 08:42:12 +10:00
Code Issues Packages Projects Releases Wiki Activity

fix: auth cookies across iframes (#1501)

Browse Source
This commit is contained in:
Lucas Smith
2024-12-03 15:28:30 +11:00
committed by GitHub
parent bdd33bd335
commit 2aae7435f8
3 changed files with 56 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/web/src/app/embed/sign/[[...url]]/page.tsx
View File

@ -80,7 +80,7 @@ export default async function EmbedSignDocumentPage({ params }: EmbedSignDocumen
return (
<EmbedAuthenticateView
email={user?.email || recipient.email}
returnTo={`/embed/direct/${token}`}
returnTo={`/embed/sign/${token}`}
/>
);
}

7
apps/web/src/middleware.ts
View File

@ -78,13 +78,14 @@ async function middleware(req: NextRequest): Promise<NextResponse> {
if (req.nextUrl.pathname.startsWith('/embed')) {
const res = NextResponse.next();
const origin = req.headers.get('Origin') ?? '*';
// Allow third parties to iframe the document.
res.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
res.headers.set('Access-Control-Allow-Origin', '*');
res.headers.set('Content-Security-Policy', 'frame-ancestors *');
res.headers.set('Access-Control-Allow-Origin', origin);
res.headers.set('Content-Security-Policy', `frame-ancestors ${origin}`);
res.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
res.headers.set('X-Content-Type-Options', 'nosniff');
res.headers.set('X-Frame-Options', 'ALLOW-ALL');
return res;
}