MCPcopy
hub / github.com/FlowiseAI/Flowise / getAllowedIframeOrigins

Function getAllowedIframeOrigins

packages/server/src/utils/XSS.ts:158–168  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

156 * @returns Space-separated string for CSP frame-ancestors directive
157 */
158export function getAllowedIframeOrigins(): string {
159 // Expects FQDN separated by commas, otherwise nothing or * for all.
160 // Also CSP allowed values: self or none
161 const origins = (process.env.IFRAME_ORIGINS?.trim() || undefined) ?? "'self'"
162 // Convert CSV to space-separated for CSP frame-ancestors directive
163 return origins
164 .split(',')
165 .map((s) => s.trim())
166 .filter(Boolean)
167 .join(' ')
168}
169
170export function getIframeSecurityHeaders(): Record<string, string> {
171 const allowedOrigins = getAllowedIframeOrigins()

Callers 2

XSS.test.tsFile · 0.90
getIframeSecurityHeadersFunction · 0.85

Calls

no outgoing calls

Tested by

no test coverage detected