@pixelbyte-software/pixcode 1.54.1 → 1.54.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.html
CHANGED
|
@@ -35,7 +35,7 @@
|
|
|
35
35
|
|
|
36
36
|
<!-- Prevent zoom on iOS -->
|
|
37
37
|
<meta name="format-detection" content="telephone=no" />
|
|
38
|
-
<script type="module" crossorigin src="/assets/index-
|
|
38
|
+
<script type="module" crossorigin src="/assets/index-lqiCTrCl.js"></script>
|
|
39
39
|
<link rel="modulepreload" crossorigin href="/assets/vendor-react-DB6V5Fl1.js">
|
|
40
40
|
<link rel="modulepreload" crossorigin href="/assets/vendor-codemirror-CIYNS698.js">
|
|
41
41
|
<link rel="modulepreload" crossorigin href="/assets/vendor-xterm-C7tpxJl7.js">
|
|
@@ -1555,27 +1555,11 @@ app.disable('x-powered-by');
|
|
|
1555
1555
|
// running behind nginx/Caddy/etc. (needed for correct protocol detection
|
|
1556
1556
|
// in resolvePublicBaseUrl and for rate-limiting middleware if added later).
|
|
1557
1557
|
app.set('trust proxy', 1);
|
|
1558
|
-
//
|
|
1559
|
-
//
|
|
1560
|
-
|
|
1561
|
-
const envOrigins = process.env.CORS_ALLOWED_ORIGINS;
|
|
1562
|
-
if (envOrigins) {
|
|
1563
|
-
return envOrigins.split(',').map((o) => o.trim()).filter(Boolean);
|
|
1564
|
-
}
|
|
1565
|
-
const devPort = process.env.VITE_PORT || 5173;
|
|
1566
|
-
return [
|
|
1567
|
-
`http://localhost:${devPort}`,
|
|
1568
|
-
`http://127.0.0.1:${devPort}`,
|
|
1569
|
-
];
|
|
1570
|
-
})();
|
|
1558
|
+
// CORS: self-hosted tool accessed from various IPs/hostnames.
|
|
1559
|
+
// Reflect the requesting origin so IP-based access (e.g. http://85.235.74.198:3001)
|
|
1560
|
+
// works without configuration. Credentials needed for auth header passthrough.
|
|
1571
1561
|
app.use(cors({
|
|
1572
|
-
origin
|
|
1573
|
-
// Allow same-origin requests (no Origin header) and allowlisted origins.
|
|
1574
|
-
if (!origin || ALLOWED_CORS_ORIGINS.includes(origin)) {
|
|
1575
|
-
return callback(null, true);
|
|
1576
|
-
}
|
|
1577
|
-
return callback(null, false);
|
|
1578
|
-
},
|
|
1562
|
+
origin: true,
|
|
1579
1563
|
credentials: true,
|
|
1580
1564
|
exposedHeaders: ['X-Refreshed-Token'],
|
|
1581
1565
|
}));
|
|
@@ -1591,16 +1575,16 @@ app.use((req, res, next) => {
|
|
|
1591
1575
|
if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
|
|
1592
1576
|
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
|
1593
1577
|
}
|
|
1594
|
-
// CSP for the SPA shell —
|
|
1595
|
-
//
|
|
1596
|
-
//
|
|
1578
|
+
// CSP for the SPA shell — relaxed for self-hosted tool accessed from
|
|
1579
|
+
// various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
|
|
1580
|
+
// ws:/wss: in connect-src allows WebSocket from any origin (IP access).
|
|
1597
1581
|
res.setHeader('Content-Security-Policy', [
|
|
1598
1582
|
"default-src 'self'",
|
|
1599
1583
|
"script-src 'self' 'unsafe-inline' 'unsafe-eval'",
|
|
1600
1584
|
"style-src 'self' 'unsafe-inline'",
|
|
1601
1585
|
"img-src 'self' data: blob: https:",
|
|
1602
1586
|
"font-src 'self' data:",
|
|
1603
|
-
"connect-src 'self' ws: wss:",
|
|
1587
|
+
"connect-src 'self' ws: wss: http: https:",
|
|
1604
1588
|
"frame-ancestors 'self'",
|
|
1605
1589
|
"base-uri 'self'",
|
|
1606
1590
|
"form-action 'self'",
|