()
| 156 | * @returns Space-separated string for CSP frame-ancestors directive |
| 157 | */ |
| 158 | export function getAllowedIframeOrigins(): string { |
| 159 | // Expects FQDN separated by commas, otherwise nothing or * for all. |
| 160 | // Also CSP allowed values: self or none |
| 161 | const origins = (process.env.IFRAME_ORIGINS?.trim() || undefined) ?? "'self'" |
| 162 | // Convert CSV to space-separated for CSP frame-ancestors directive |
| 163 | return origins |
| 164 | .split(',') |
| 165 | .map((s) => s.trim()) |
| 166 | .filter(Boolean) |
| 167 | .join(' ') |
| 168 | } |
| 169 | |
| 170 | export function getIframeSecurityHeaders(): Record<string, string> { |
| 171 | const allowedOrigins = getAllowedIframeOrigins() |
no outgoing calls
no test coverage detected