@pixelbyte-software/pixcode 1.54.1 → 1.54.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.html CHANGED
@@ -35,7 +35,7 @@
35
35
 
36
36
  <!-- Prevent zoom on iOS -->
37
37
  <meta name="format-detection" content="telephone=no" />
38
- <script type="module" crossorigin src="/assets/index-CLO8YURv.js"></script>
38
+ <script type="module" crossorigin src="/assets/index-lqiCTrCl.js"></script>
39
39
  <link rel="modulepreload" crossorigin href="/assets/vendor-react-DB6V5Fl1.js">
40
40
  <link rel="modulepreload" crossorigin href="/assets/vendor-codemirror-CIYNS698.js">
41
41
  <link rel="modulepreload" crossorigin href="/assets/vendor-xterm-C7tpxJl7.js">
@@ -1555,27 +1555,11 @@ app.disable('x-powered-by');
1555
1555
  // running behind nginx/Caddy/etc. (needed for correct protocol detection
1556
1556
  // in resolvePublicBaseUrl and for rate-limiting middleware if added later).
1557
1557
  app.set('trust proxy', 1);
1558
- // Restrict CORS to known origins instead of reflecting any requester.
1559
- // In production the frontend is same-origin; in dev it's the Vite server.
1560
- const ALLOWED_CORS_ORIGINS = (() => {
1561
- const envOrigins = process.env.CORS_ALLOWED_ORIGINS;
1562
- if (envOrigins) {
1563
- return envOrigins.split(',').map((o) => o.trim()).filter(Boolean);
1564
- }
1565
- const devPort = process.env.VITE_PORT || 5173;
1566
- return [
1567
- `http://localhost:${devPort}`,
1568
- `http://127.0.0.1:${devPort}`,
1569
- ];
1570
- })();
1558
+ // CORS: self-hosted tool accessed from various IPs/hostnames.
1559
+ // Reflect the requesting origin so IP-based access (e.g. http://85.235.74.198:3001)
1560
+ // works without configuration. Credentials needed for auth header passthrough.
1571
1561
  app.use(cors({
1572
- origin(origin, callback) {
1573
- // Allow same-origin requests (no Origin header) and allowlisted origins.
1574
- if (!origin || ALLOWED_CORS_ORIGINS.includes(origin)) {
1575
- return callback(null, true);
1576
- }
1577
- return callback(null, false);
1578
- },
1562
+ origin: true,
1579
1563
  credentials: true,
1580
1564
  exposedHeaders: ['X-Refreshed-Token'],
1581
1565
  }));
@@ -1591,16 +1575,16 @@ app.use((req, res, next) => {
1591
1575
  if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
1592
1576
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
1593
1577
  }
1594
- // CSP for the SPA shell — API responses are JSON so this mainly guards
1595
- // the served index.html. 'unsafe-inline' is needed for Vite's inline
1596
- // module preload polyfill; style-src unsafe-inline for Tailwind injected styles.
1578
+ // CSP for the SPA shell — relaxed for self-hosted tool accessed from
1579
+ // various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
1580
+ // ws:/wss: in connect-src allows WebSocket from any origin (IP access).
1597
1581
  res.setHeader('Content-Security-Policy', [
1598
1582
  "default-src 'self'",
1599
1583
  "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
1600
1584
  "style-src 'self' 'unsafe-inline'",
1601
1585
  "img-src 'self' data: blob: https:",
1602
1586
  "font-src 'self' data:",
1603
- "connect-src 'self' ws: wss:",
1587
+ "connect-src 'self' ws: wss: http: https:",
1604
1588
  "frame-ancestors 'self'",
1605
1589
  "base-uri 'self'",
1606
1590
  "form-action 'self'",