github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 14:38:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden control ui framing + ws origin

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-03 16:00:57 -08:00
parent 0223416c61
commit 66d8117d44
11 changed files with 265 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/gateway/control-ui.ts
View File

@@ -66,6 +66,12 @@ type ControlUiAvatarMeta = {
avatarUrl: string | null;
};
function applyControlUiSecurityHeaders(res: ServerResponse) {
res.setHeader("X-Frame-Options", "DENY");
res.setHeader("Content-Security-Policy", "frame-ancestors 'none'");
res.setHeader("X-Content-Type-Options", "nosniff");
}
function sendJson(res: ServerResponse, status: number, body: unknown) {
res.statusCode = status;
res.setHeader("Content-Type", "application/json; charset=utf-8");
@@ -100,6 +106,8 @@ export function handleControlUiAvatarRequest(
return false;
}
applyControlUiSecurityHeaders(res);
const agentIdParts = pathname.slice(pathWithBase.length).split("/").filter(Boolean);
const agentId = agentIdParts[0] ?? "";
if (agentIdParts.length !== 1 || !agentId || !isValidAgentId(agentId)) {
@@ -250,6 +258,7 @@ export function handleControlUiHttpRequest(
if (!basePath) {
if (pathname === "/ui" || pathname.startsWith("/ui/")) {
applyControlUiSecurityHeaders(res);
respondNotFound(res);
return true;
}
@@ -257,6 +266,7 @@ export function handleControlUiHttpRequest(
if (basePath) {
if (pathname === basePath) {
applyControlUiSecurityHeaders(res);
res.statusCode = 302;
res.setHeader("Location", `${basePath}/${url.search}`);
res.end();
@@ -267,6 +277,8 @@ export function handleControlUiHttpRequest(
}
}
applyControlUiSecurityHeaders(res);
const rootState = opts?.root;
if (rootState?.kind === "invalid") {
res.statusCode = 503;