fix: avoid framing other than shared pages

9 months ago · cc52829d17
2 changed files with 19 additions and 0 deletions
--- a/packages/nc-gui/middleware/01.security.global.ts
+++ b/packages/nc-gui/middleware/01.security.global.ts
@ -0,0 +1,19 @@
+export default defineNuxtRouteMiddleware(async (to) => {
+  // avoid non-embeddable paths within an iframe
+  if (self !== top) {
+    // allow for shared base
+    const embeddablePaths = ['/base/']
+    const embedRegex = new RegExp(`^(${embeddablePaths.join('|')})`)
+    if (embedRegex.test(to.path)) {
+      return
+    }
+
+    // allow for shared views
+    if (to.meta?.layout === 'shared-view') {
+      return
+    }
+
+    // throw for all other pages
+    throw createError({ statusCode: 403, message: 'Not allowed' })
+  }
+})
--- a/packages/nc-gui/middleware/02.auth.global.ts
+++ b/packages/nc-gui/middleware/02.auth.global.ts