2026-03-01 03:04:24 +08:00
|
|
|
|
import { NextResponse } from 'next/server';
|
|
|
|
|
|
import type { NextRequest } from 'next/server';
|
|
|
|
|
|
|
|
|
|
|
|
export function middleware(request: NextRequest) {
|
|
|
|
|
|
const response = NextResponse.next();
|
|
|
|
|
|
|
2026-03-03 01:36:22 +08:00
|
|
|
|
// 自动从 SUB2API_BASE_URL 提取 origin,允许 Sub2API 主站 iframe 嵌入
|
|
|
|
|
|
const sub2apiUrl = process.env.SUB2API_BASE_URL || '';
|
|
|
|
|
|
const extraOrigins = process.env.IFRAME_ALLOW_ORIGINS || '';
|
2026-03-01 03:04:24 +08:00
|
|
|
|
|
2026-03-03 01:36:22 +08:00
|
|
|
|
const origins = new Set<string>();
|
2026-03-01 03:04:24 +08:00
|
|
|
|
|
2026-03-03 01:36:22 +08:00
|
|
|
|
if (sub2apiUrl) {
|
|
|
|
|
|
try {
|
|
|
|
|
|
origins.add(new URL(sub2apiUrl).origin);
|
|
|
|
|
|
} catch {
|
|
|
|
|
|
// ignore invalid URL
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
for (const s of extraOrigins.split(',')) {
|
|
|
|
|
|
const trimmed = s.trim();
|
|
|
|
|
|
if (trimmed) origins.add(trimmed);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (origins.size > 0) {
|
|
|
|
|
|
response.headers.set('Content-Security-Policy', `frame-ancestors 'self' ${[...origins].join(' ')}`);
|
2026-03-01 03:04:24 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-13 23:03:01 +08:00
|
|
|
|
response.headers.set('X-Content-Type-Options', 'nosniff');
|
|
|
|
|
|
response.headers.set('X-Frame-Options', 'SAMEORIGIN');
|
|
|
|
|
|
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
|
|
|
|
|
|
|
2026-03-01 03:04:24 +08:00
|
|
|
|
return response;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
export const config = {
|
|
|
|
|
|
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
|
|
|
|
|
|
};
|
