Archive/screentinker
1
0
Fork 0
mirror of https://github.com/screentinker/screentinker.git synced 2026-06-14 18:22:46 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #43 from screentinker/fix/widget-render-frameable

Browse source 
fix(widgets): make widget/kiosk render frameable (X-Frame-Options)
This commit is contained in:
screentinker 2026-06-08 23:37:52 -05:00 committed by GitHub
parent d13ac58e74 827b1c4c87
commit 8dce93d4dc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
server/routes/kiosk.js
View file

@ -180,6 +180,9 @@ router.get('/:id/render', (req, res) => {
</script>
</body></html>`;
// Embedded by the player in a sandboxed (null-origin) iframe; the global
// X-Frame-Options: SAMEORIGIN would refuse that and leave it blank.
res.removeHeader('X-Frame-Options');
res.setHeader('Content-Type', 'text/html');
res.send(html);
});

6
server/routes/widgets.js
View file

@ -183,6 +183,12 @@ router.get('/:id/render', (req, res) => {
const widget = db.prepare('SELECT * FROM widgets WHERE id = ?').get(req.params.id);
if (!widget) return res.status(404).send('Widget not found');
const config = JSON.parse(widget.config || '{}');
// This page is DESIGNED to be embedded by the player, which frames it in a
// sandboxed (allow-scripts, no allow-same-origin) iframe = a null origin. The
// global helmet X-Frame-Options: SAMEORIGIN refuses that (null != same), so
// widgets render blank in the web player. Drop it here; the sandbox - not
// X-Frame-Options - is what isolates the widget (it can't read the dashboard JWT).
res.removeHeader('X-Frame-Options');
res.setHeader('Content-Type', 'text/html');
res.send(renderWidgetHtml(widget.widget_type, config));
});