@aiyiran/myclaw 1.0.217 → 1.0.219
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/patches/patch.js +11 -6
package/package.json
CHANGED
package/patches/patch.js
CHANGED
|
@@ -250,21 +250,26 @@ function patch() {
|
|
|
250
250
|
console.log('[myclaw-patch] ✅ 已修复 Permissions-Policy (microphone): ' + f);
|
|
251
251
|
}
|
|
252
252
|
|
|
253
|
-
// Patch 2: CSP
|
|
254
|
-
// 原始: "default-src 'self'",
|
|
255
|
-
// 目标:
|
|
253
|
+
// Patch 2: CSP - 在 buildControlUiCspHeader 的 CSP 数组中放宽限制
|
|
254
|
+
// 原始: "default-src 'self'", "connect-src 'self' ws: wss:", "frame-ancestors 'none'"
|
|
255
|
+
// 目标: 添加 frame-src, 放开 connect-src 和 frame-ancestors
|
|
256
256
|
if (needsCspFramePatch) {
|
|
257
|
-
//
|
|
257
|
+
// 添加 frame-src 指令(允许 iframe 加载外部 https 资源)
|
|
258
258
|
content = content.replace(
|
|
259
259
|
'"default-src \'self\'"',
|
|
260
260
|
'"default-src \'self\'",\n\t\t"frame-src \'self\' https:"'
|
|
261
261
|
);
|
|
262
|
-
//
|
|
262
|
+
// 放开 connect-src,允许 fetch/XHR 到外部 https API
|
|
263
|
+
content = content.replace(
|
|
264
|
+
'"connect-src \'self\' ws: wss:"',
|
|
265
|
+
'"connect-src \'self\' https: ws: wss:"'
|
|
266
|
+
);
|
|
267
|
+
// 放开 frame-ancestors,允许被外部 https 页面嵌入
|
|
263
268
|
content = content.replace(
|
|
264
269
|
'"frame-ancestors \'none\'"',
|
|
265
270
|
'"frame-ancestors \'self\' https:"'
|
|
266
271
|
);
|
|
267
|
-
console.log('[myclaw-patch] ✅
|
|
272
|
+
console.log('[myclaw-patch] ✅ 已修复 CSP (frame-src, connect-src, frame-ancestors): ' + f);
|
|
268
273
|
}
|
|
269
274
|
|
|
270
275
|
fs.writeFileSync(filePath, content, 'utf8');
|