Add X-frame options and Content-Security-Policy

mythz · mythz · commit 2870870b7b98 · 2025-04-11T12:39:17.000+08:00
diff --git a/MyApp/Configure.AppHost.cs b/MyApp/Configure.AppHost.cs
@@ -23,9 +23,23 @@ public override void Configure(Container container)
 
         SetConfig(new HostConfig {
             IgnorePathInfoPrefixes = { "/appsettings", "/_framework" },
-            GlobalResponseHeaders = {
-                { "X-Frame-Options", "SAMEORIGIN" },
-            },
+        });
+
+        string[] allowedOrigins = [
+            "https://localhost:5001",
+            "https://localhost:5002",
+            "https://docs.servicestack.net",
+            "https://servicestack.net",
+            "https://*.servicestack.net",
+        ];
+
+        GlobalResponseFilters.Add((req,res,dto) => {
+            var origin = req.Headers.Get(HttpHeaders.Origin);
+            if (origin != null && allowedOrigins.Any(o => origin.StartsWith(o)))
+            {
+                res.AddHeader("X-Frame-Options", $"ALLOW-FROM {origin}");
+                res.AddHeader("Content-Security-Policy", $"frame-ancestors {origin}");
+            }
         });
     }
 }
