From 8cf78dc2959e6c75ec8aa78c9476028cbbba1e46 Mon Sep 17 00:00:00 2001 From: erio Date: Tue, 3 Mar 2026 01:36:22 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20frame-ancestors=20=E8=87=AA=E5=8A=A8?= =?UTF-8?q?=E4=BB=8E=20SUB2API=5FBASE=5FURL=20=E6=8E=A8=E5=AF=BC=EF=BC=8C?= =?UTF-8?q?=E6=97=A0=E9=9C=80=E6=89=8B=E5=8A=A8=E9=85=8D=E7=BD=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 不再依赖 IFRAME_ALLOW_ORIGINS 手动配置 Sub2API 域名, 自动从 SUB2API_BASE_URL 提取 origin 加入 CSP frame-ancestors。 Co-Authored-By: Claude Opus 4.6 --- src/middleware.ts | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/src/middleware.ts b/src/middleware.ts index f5cb063..c883bd2 100644 --- a/src/middleware.ts +++ b/src/middleware.ts @@ -4,16 +4,27 @@ import type { NextRequest } from 'next/server'; export function middleware(request: NextRequest) { const response = NextResponse.next(); - // IFRAME_ALLOW_ORIGINS: 允许嵌入 iframe 的外部域名(逗号分隔) - const allowOrigins = process.env.IFRAME_ALLOW_ORIGINS || ''; + // 自动从 SUB2API_BASE_URL 提取 origin,允许 Sub2API 主站 iframe 嵌入 + const sub2apiUrl = process.env.SUB2API_BASE_URL || ''; + const extraOrigins = process.env.IFRAME_ALLOW_ORIGINS || ''; - const origins = allowOrigins - .split(',') - .map((s) => s.trim()) - .filter(Boolean); + const origins = new Set(); - if (origins.length > 0) { - response.headers.set('Content-Security-Policy', `frame-ancestors 'self' ${origins.join(' ')}`); + if (sub2apiUrl) { + try { + origins.add(new URL(sub2apiUrl).origin); + } catch { + // ignore invalid URL + } + } + + for (const s of extraOrigins.split(',')) { + const trimmed = s.trim(); + if (trimmed) origins.add(trimmed); + } + + if (origins.size > 0) { + response.headers.set('Content-Security-Policy', `frame-ancestors 'self' ${[...origins].join(' ')}`); } return response;