Spaces:
Sleeping
Sleeping
domain
Browse files- components/iframe-warning-modal.tsx +4 -4
- middleware.ts +1 -48
components/iframe-warning-modal.tsx
CHANGED
|
@@ -18,14 +18,14 @@ interface IframeWarningModalProps {
|
|
| 18 |
|
| 19 |
export default function IframeWarningModal({
|
| 20 |
isOpen,
|
| 21 |
-
|
| 22 |
-
|
| 23 |
const handleVisitSite = () => {
|
| 24 |
-
window.
|
| 25 |
};
|
| 26 |
|
| 27 |
return (
|
| 28 |
-
<Dialog open={isOpen} onOpenChange={
|
| 29 |
<DialogContent className="sm:max-w-md">
|
| 30 |
<DialogHeader>
|
| 31 |
<div className="flex items-center gap-2">
|
|
|
|
| 18 |
|
| 19 |
export default function IframeWarningModal({
|
| 20 |
isOpen,
|
| 21 |
+
}: // onOpenChange,
|
| 22 |
+
IframeWarningModalProps) {
|
| 23 |
const handleVisitSite = () => {
|
| 24 |
+
window.open("https://deepsite.hf.co", "_blank");
|
| 25 |
};
|
| 26 |
|
| 27 |
return (
|
| 28 |
+
<Dialog open={isOpen} onOpenChange={() => {}}>
|
| 29 |
<DialogContent className="sm:max-w-md">
|
| 30 |
<DialogHeader>
|
| 31 |
<div className="flex items-center gap-2">
|
middleware.ts
CHANGED
|
@@ -4,54 +4,7 @@ import type { NextRequest } from "next/server";
|
|
| 4 |
export function middleware(request: NextRequest) {
|
| 5 |
const headers = new Headers(request.headers);
|
| 6 |
headers.set("x-current-host", request.nextUrl.host);
|
| 7 |
-
|
| 8 |
-
// Check if the request is coming from an iframe
|
| 9 |
-
const referer = request.headers.get("referer");
|
| 10 |
-
const currentHost = request.nextUrl.host;
|
| 11 |
-
const currentOrigin = `${request.nextUrl.protocol}//${currentHost}`;
|
| 12 |
-
|
| 13 |
-
// Helper function to check if a URL is from allowed domains
|
| 14 |
-
const isAllowedDomain = (url: string) => {
|
| 15 |
-
try {
|
| 16 |
-
const urlObj = new URL(url);
|
| 17 |
-
const hostname = urlObj.hostname.toLowerCase();
|
| 18 |
-
return hostname.endsWith('.huggingface.co') ||
|
| 19 |
-
hostname.endsWith('.hf.co') ||
|
| 20 |
-
hostname === 'huggingface.co' ||
|
| 21 |
-
hostname === 'hf.co';
|
| 22 |
-
} catch {
|
| 23 |
-
return false;
|
| 24 |
-
}
|
| 25 |
-
};
|
| 26 |
-
|
| 27 |
-
// If there's a referer and it's not from the same origin, check if it's allowed
|
| 28 |
-
if (referer && !referer.startsWith(currentOrigin)) {
|
| 29 |
-
// Additional check: look for iframe-specific headers or indicators
|
| 30 |
-
const secFetchDest = request.headers.get("sec-fetch-dest");
|
| 31 |
-
const secFetchMode = request.headers.get("sec-fetch-mode");
|
| 32 |
-
|
| 33 |
-
// If the request is for a document within an iframe context
|
| 34 |
-
if (secFetchDest === "iframe" ||
|
| 35 |
-
(secFetchDest === "document" && secFetchMode === "navigate" && referer)) {
|
| 36 |
-
|
| 37 |
-
// Check if the referer is from an allowed domain
|
| 38 |
-
if (!isAllowedDomain(referer)) {
|
| 39 |
-
return NextResponse.redirect("https://deepsite.hf.co");
|
| 40 |
-
}
|
| 41 |
-
}
|
| 42 |
-
}
|
| 43 |
-
|
| 44 |
-
// Set headers to prevent framing
|
| 45 |
-
const response = NextResponse.next({ headers });
|
| 46 |
-
|
| 47 |
-
// Allow embedding only from Hugging Face domains
|
| 48 |
-
response.headers.set("X-Frame-Options", "SAMEORIGIN");
|
| 49 |
-
response.headers.set(
|
| 50 |
-
"Content-Security-Policy",
|
| 51 |
-
"frame-ancestors 'self' *.huggingface.co *.hf.co huggingface.co hf.co;"
|
| 52 |
-
);
|
| 53 |
-
|
| 54 |
-
return response;
|
| 55 |
}
|
| 56 |
|
| 57 |
export const config = {
|
|
|
|
| 4 |
export function middleware(request: NextRequest) {
|
| 5 |
const headers = new Headers(request.headers);
|
| 6 |
headers.set("x-current-host", request.nextUrl.host);
|
| 7 |
+
return NextResponse.next({ headers });
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
}
|
| 9 |
|
| 10 |
export const config = {
|