[Feature] Allow public dashboard to be embedded (alexjustesen#897)

Author: alexjustesen

.env.example

@@ -4,6 +4,8 @@ APP_KEY=
 APP_DEBUG=false
 APP_URL=http://localhost
 
+ALLOW_EMBEDS=
+
 FORCE_HTTPS=false
 
 CONTENT_WIDTH=7xl

app/Http/Kernel.php

@@ -64,5 +64,7 @@ class Kernel extends HttpKernel
         'signed' => \App\Http\Middleware\ValidateSignature::class,
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
+
+        'x-frame-allow' => \App\Http\Middleware\FrameAllowOptions::class,
     ];
 }

app/Http/Middleware/FrameAllowOptions.php

@@ -0,0 +1,26 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class FrameAllowOptions
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        $response = $next($request);
+
+        if (! blank(config('speedtest.allow_embeds'))) {
+            $response->header('X-Frame-Options', 'ALLOW FROM '.config('speedtest.allow_embeds'));
+        }
+
+        return $response;
+    }
+}

app/Http/Middleware/VerifyCsrfToken.php

@@ -12,6 +12,6 @@ class VerifyCsrfToken extends Middleware
      * @var array<int, string>
      */
     protected $except = [
-        //
+        '/',
     ];
 }

config/speedtest.php

@@ -23,4 +23,9 @@
     'notification_polling' => env('NOTIFICATION_POLLING', '60s'),
 
     'results_polling' => env('RESULTS_POLLING', null),
+
+    /**
+     * Security
+     */
+    'allow_embeds' => env('ALLOW_EMBEDS', null),
 ];

routes/web.php

@@ -15,6 +15,7 @@
 */
 
 Route::get('/', HomeController::class)
+    ->middleware('x-frame-allow')
     ->name('home');
 
 Route::get('/login', function () {