Feat: make embeddable into openMFP #175
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andreaskienle
requested changes
Jul 10, 2025
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
…frontend into feat/make-embeddable
There was a problem hiding this comment.
Pull Request Overview
This PR enables the service to be embedded in openMFP by updating cookie settings for cross-site use, introducing a CSP that restricts framing, and exposing a new FRAME_ANCESTORS environment variable. It also renames the dev flag to --local-dev and wires in @fastify/helmet for CSP enforcement.
- Adjust session cookies to
SameSite=None,secure: true, andpartitioned: truefor cross-site embedding. - Add
FRAME_ANCESTORSenv var, register it, and enforce it in a CSPframe-ancestorsdirective via Helmet. - Rename local dev flag, update scripts and plugin registrations accordingly.
Reviewed Changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| server/encrypted-session.js | Set cookies to cross-site mode (None), always secure, partitioned |
| server/config/env.js | Added required FRAME_ANCESTORS variable to env schema |
| server/app.js | Removed env plugin registration before session setup (regression) |
| server.js | Registered envPlugin, added Helmet with CSP including frame-ancestors |
| package.json | Changed dev script to use --local-dev, added Helmet dependency |
| index.html | Removed legacy window.global shim |
| .env.template | Documented new FRAME_ANCESTORS variable |
Comments suppressed due to low confidence (2)
.env.template:25
- [nitpick] Consider adding example values (e.g.
https://app.example.com https://admin.example.com) to clarify how to format multiple origins forFRAME_ANCESTORS.
FRAME_ANCESTORS=
server/app.js:12
- The environment plugin registration (
envPlugin) was removed, butencryptedSessionrelies onfastify.config. Re-addawait fastify.register(envPlugin);before registeringencryptedSessionto ensure config values are available.
fastify.register(encryptedSession, {
andreaskienle
approved these changes
Jul 15, 2025
andreaskienle
approved these changes
Jul 16, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Noneto allow cookies and therefore session when embedded in iFrameframe-anchestorsto only be embeddable in website we trustWe can not allow CORS since every browser initiated request will contain the session cookie (as defined by
SameSite). Without CORS and with the frame-anchestors we allow this to only happen within our domain/site.This change allow us to be used in openMFP.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: