From 8fe0537d46118dd478eafb1e1a64d0cad4c8584b Mon Sep 17 00:00:00 2001 From: NFish Date: Wed, 14 May 2025 17:31:23 +0800 Subject: [PATCH] fix: X-Frame-Options exclude webapp signin page --- web/middleware.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/middleware.ts b/web/middleware.ts index 7eb5f37f21..4857030fa8 100644 --- a/web/middleware.ts +++ b/web/middleware.ts @@ -6,7 +6,7 @@ const NECESSARY_DOMAIN = '*.sentry.io http://localhost:* http://127.0.0.1:* http const wrapResponseWithXFrameOptions = (response: NextResponse, pathname: string) => { // prevent clickjacking: https://owasp.org/www-community/attacks/Clickjacking // Chatbot page should be allowed to be embedded in iframe. It's a feature - if (process.env.NEXT_PUBLIC_ALLOW_EMBED !== 'true' && !pathname.startsWith('/chat') && !pathname.startsWith('/workflow') && !pathname.startsWith('/completion')) + if (process.env.NEXT_PUBLIC_ALLOW_EMBED !== 'true' && !pathname.startsWith('/chat') && !pathname.startsWith('/workflow') && !pathname.startsWith('/completion') && !pathname.startsWith('/webapp-signin')) response.headers.set('X-Frame-Options', 'DENY') return response