allow embedding of site in a configured website

Hammer1279 · Hammer1279 · commit 27bfb6d15091 · 2025-04-01T09:34:18.000Z
diff --git a/config.json b/config.json
@@ -36,7 +36,9 @@
             "maxAuthRequests": 3,
             "timeWindow": 300,
             "whitelist": []
-        }
+        },
+        "_embedSite": "https://example.com",
+        "embedSite": false
     },
     "testserver": {
         "_note": "This is a test server, it will respond with a 200 OK, if enabled",
@@ -110,7 +112,7 @@
             "host": [
                 "devserv.ht-dev.de"
             ],
-            "enabled": true,
+            "enabled": false,
             "target": "http://localhost:81",
             "ssl": {
                 "key": "certs/acme/live/devserv.ht-dev.de/privkey.pem",
@@ -155,7 +157,7 @@
             "host": [
                 "devserv.ht-dev.de"
             ],
-            "enabled": true,
+            "enabled": false,
             "status": 200,
             "message": "Success",
             "secure": true,
diff --git a/web/server.js b/web/server.js
@@ -54,7 +54,13 @@ app.use((req, res, next) => {
 });
 
 app.use((req, res, next) => {
-    res.setHeader('X-Frame-Options', 'DENY');
+    if (config.management.embedSite) {
+        res.setHeader('X-Frame-Options', 'ALLOW-FROM ' + config.management.embedSite);
+        res.setHeader('Content-Security-Policy', 'frame-ancestors ' + config.management.embedSite);
+    } else {
+        res.setHeader('X-Frame-Options', 'DENY');
+        res.setHeader('Content-Security-Policy', 'frame-ancestors \'none\'');
+    }
     res.setHeader('X-Content-Type-Options', 'nosniff');
     // res.setHeader('Content-Security-Policy', 'default-src \'self\'');
     res.setHeader('Referrer-Policy', 'same-origin');
