Spaces:
Running
Running
feat(security): add flag for allowing iframes (#1518)
Browse files- .env +1 -0
- chart/env/prod.yaml +1 -0
- svelte.config.js +6 -0
.env
CHANGED
|
@@ -164,6 +164,7 @@ ALLOWED_USER_EMAILS=`[]` # if it's defined, only these emails will be allowed to
|
|
| 164 |
|
| 165 |
USAGE_LIMITS=`{}`
|
| 166 |
|
|
|
|
| 167 |
ALLOW_INSECURE_COOKIES=false # recommended to keep this to false but set to true if you need to run over http without tls
|
| 168 |
METRICS_ENABLED=false
|
| 169 |
METRICS_PORT=5565
|
|
|
|
| 164 |
|
| 165 |
USAGE_LIMITS=`{}`
|
| 166 |
|
| 167 |
+
ALLOW_IFRAME=true
|
| 168 |
ALLOW_INSECURE_COOKIES=false # recommended to keep this to false but set to true if you need to run over http without tls
|
| 169 |
METRICS_ENABLED=false
|
| 170 |
METRICS_PORT=5565
|
chart/env/prod.yaml
CHANGED
|
@@ -30,6 +30,7 @@ envVars:
|
|
| 30 |
ADDRESS_HEADER: 'X-Forwarded-For'
|
| 31 |
ALTERNATIVE_REDIRECT_URLS: '["huggingchat://login/callback"]'
|
| 32 |
APP_BASE: "/chat"
|
|
|
|
| 33 |
COMMUNITY_TOOLS: "true"
|
| 34 |
ENABLE_ASSISTANTS: "true"
|
| 35 |
ENABLE_ASSISTANTS_RAG: "true"
|
|
|
|
| 30 |
ADDRESS_HEADER: 'X-Forwarded-For'
|
| 31 |
ALTERNATIVE_REDIRECT_URLS: '["huggingchat://login/callback"]'
|
| 32 |
APP_BASE: "/chat"
|
| 33 |
+
ALLOW_IFRAME: "false"
|
| 34 |
COMMUNITY_TOOLS: "true"
|
| 35 |
ENABLE_ASSISTANTS: "true"
|
| 36 |
ENABLE_ASSISTANTS_RAG: "true"
|
svelte.config.js
CHANGED
|
@@ -2,6 +2,7 @@ import adapter from "@sveltejs/adapter-node";
|
|
| 2 |
import { vitePreprocess } from "@sveltejs/vite-plugin-svelte";
|
| 3 |
import dotenv from "dotenv";
|
| 4 |
import { execSync } from "child_process";
|
|
|
|
| 5 |
dotenv.config({ path: "./.env.local" });
|
| 6 |
dotenv.config({ path: "./.env" });
|
| 7 |
|
|
@@ -33,6 +34,11 @@ const config = {
|
|
| 33 |
// handled in hooks.server.ts, because we can have multiple valid origins
|
| 34 |
checkOrigin: false,
|
| 35 |
},
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 36 |
},
|
| 37 |
};
|
| 38 |
|
|
|
|
| 2 |
import { vitePreprocess } from "@sveltejs/vite-plugin-svelte";
|
| 3 |
import dotenv from "dotenv";
|
| 4 |
import { execSync } from "child_process";
|
| 5 |
+
|
| 6 |
dotenv.config({ path: "./.env.local" });
|
| 7 |
dotenv.config({ path: "./.env" });
|
| 8 |
|
|
|
|
| 34 |
// handled in hooks.server.ts, because we can have multiple valid origins
|
| 35 |
checkOrigin: false,
|
| 36 |
},
|
| 37 |
+
csp: {
|
| 38 |
+
directives: {
|
| 39 |
+
...(process.env.ALLOW_IFRAME === "true" ? {} : { "frame-ancestors": ["'none'"] }),
|
| 40 |
+
},
|
| 41 |
+
},
|
| 42 |
},
|
| 43 |
};
|
| 44 |
|