auto-save 2026-04-19 22:56 (~2)

2026-04-19 22:56:55 +08:00
parent 7d83838a2e
commit ec2af8219c
2 changed files with 15 additions and 2 deletions
--- a/.memory/worklog.json
+++ b/.memory/worklog.json
@@ -314,6 +314,13 @@
      "message": "auto-save 2026-04-19 22:45 (~1)",
      "hash": "81e2710",
      "files_changed": 1
+    },
+    {
+      "ts": "2026-04-19T22:51:12+08:00",
+      "type": "commit",
+      "message": "auto-save 2026-04-19 22:51 (~2)",
+      "hash": "7d83838",
+      "files_changed": 2
    }
  ]
 }
--- a/orchestrator/src/index.ts
+++ b/orchestrator/src/index.ts
@@ -16,9 +16,15 @@ const app = new Hono();
 app.get('/health', (c) => c.json({ ok: true, ts: Date.now() }));

 // Admin UI 页面(HTML,本身的 API 走下面 /admin/api/*)
-app.get('/admin/', (c) => c.html(DASHBOARD_HTML));
+const ALLOW_IFRAME_FROM = "frame-ancestors 'self' https://ai.milejoy.com https://lobehub.kang-kang.com";
+const withCsp = (c: any, html: string) => {
+  c.header('Content-Security-Policy', ALLOW_IFRAME_FROM);
+  c.header('X-Frame-Options', ''); // 移除 X-Frame-Options(CSP frame-ancestors 更精细)
+  return c.html(html);
+};
+app.get('/admin/', (c) => withCsp(c, DASHBOARD_HTML));
 app.get('/admin', (c) => c.redirect('/admin/?token=' + (c.req.query('token') ?? '')));
-app.get('/admin/user/:userId', (c) => c.html(USER_VIEW_HTML));
+app.get('/admin/user/:userId', (c) => withCsp(c, USER_VIEW_HTML));

 // Admin API(挂在 /admin/api,auth 在 admin router 里处理)
 app.route('/admin/api', admin);