From cc52829d1757a53ce791668b9aab607412f92ded Mon Sep 17 00:00:00 2001
From: mertmit <mertmit99@gmail.com>
Date: Tue, 20 Feb 2024 09:35:45 +0000
Subject: [PATCH] fix: avoid framing other than shared pages

---
 .../nc-gui/middleware/01.security.global.ts   | 19 +++++++++++++++++++
 .../{auth.global.ts => 02.auth.global.ts}     |  0
 2 files changed, 19 insertions(+)
 create mode 100644 packages/nc-gui/middleware/01.security.global.ts
 rename packages/nc-gui/middleware/{auth.global.ts => 02.auth.global.ts} (100%)

diff --git a/packages/nc-gui/middleware/01.security.global.ts b/packages/nc-gui/middleware/01.security.global.ts
new file mode 100644
index 0000000000..278fcf7249
--- /dev/null
+++ b/packages/nc-gui/middleware/01.security.global.ts
@@ -0,0 +1,19 @@
+export default defineNuxtRouteMiddleware(async (to) => {
+  // avoid non-embeddable paths within an iframe
+  if (self !== top) {
+    // allow for shared base
+    const embeddablePaths = ['/base/']
+    const embedRegex = new RegExp(`^(${embeddablePaths.join('|')})`)
+    if (embedRegex.test(to.path)) {
+      return
+    }
+
+    // allow for shared views
+    if (to.meta?.layout === 'shared-view') {
+      return
+    }
+
+    // throw for all other pages
+    throw createError({ statusCode: 403, message: 'Not allowed' })
+  }
+})
diff --git a/packages/nc-gui/middleware/auth.global.ts b/packages/nc-gui/middleware/02.auth.global.ts
similarity index 100%
rename from packages/nc-gui/middleware/auth.global.ts
rename to packages/nc-gui/middleware/02.auth.global.ts