Skip to content

Commit

Permalink
[FIX] Replace obsolete X-FRAME-OPTIONS header on Livechat route (#17419)
Browse files Browse the repository at this point in the history 
Replace deprecated X-FRAME-OPTIONS header by Content-Security-Policy.

Co-authored-by: Marcos Spessatto Defendi <[email protected]>
  • Loading branch information
@renatobecker @MarcosSpessatto @d-gubert
2 people authored and d-gubert committed May 1, 2020
1 parent f417f6d commit 570c46b
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions app/livechat/server/livechat.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,11 @@ WebApp.connectHandlers.use('/livechat', Meteor.bindEnvironment((req, res, next)

const referer = url.parse(req.headers.referer);
if (!_.contains(domainWhiteList, referer.host)) {
res.setHeader('X-FRAME-OPTIONS', 'DENY');
res.setHeader('Content-Security-Policy', 'frame-ancestors \'none\'');
return next();
}

res.setHeader('X-FRAME-OPTIONS', `ALLOW-FROM ${ referer.protocol }//${ referer.host }`);
res.setHeader('Content-Security-Policy', `frame-ancestors ${ referer.protocol }//${ referer.host }`);
}

res.write(indexHtmlWithServerURL);
Expand Down

0 comments on commit 570c46b

Please sign in to comment.