@pixelbyte-software/pixcode 1.54.6 → 1.54.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.html
CHANGED
|
@@ -35,7 +35,7 @@
|
|
|
35
35
|
|
|
36
36
|
<!-- Prevent zoom on iOS -->
|
|
37
37
|
<meta name="format-detection" content="telephone=no" />
|
|
38
|
-
<script type="module" crossorigin src="/assets/index-
|
|
38
|
+
<script type="module" crossorigin src="/assets/index-D-4VRH1a.js"></script>
|
|
39
39
|
<link rel="modulepreload" crossorigin href="/assets/vendor-react-DB6V5Fl1.js">
|
|
40
40
|
<link rel="modulepreload" crossorigin href="/assets/vendor-codemirror-CIYNS698.js">
|
|
41
41
|
<link rel="modulepreload" crossorigin href="/assets/vendor-xterm-C7tpxJl7.js">
|
|
@@ -1573,32 +1573,17 @@ app.use(cors({
|
|
|
1573
1573
|
credentials: true,
|
|
1574
1574
|
exposedHeaders: ['X-Refreshed-Token'],
|
|
1575
1575
|
}));
|
|
1576
|
-
// Security headers
|
|
1576
|
+
// Security headers — kept lightweight for self-hosted tool compatibility.
|
|
1577
|
+
// CSP removed: it blocked Vite inline modulepreload, Google Fonts, and
|
|
1578
|
+
// IP-based WebSocket access. X-Frame-Options + nosniff are the high-value
|
|
1579
|
+
// headers that don't break anything.
|
|
1577
1580
|
app.use((req, res, next) => {
|
|
1578
1581
|
res.setHeader('X-Content-Type-Options', 'nosniff');
|
|
1579
1582
|
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
|
|
1580
1583
|
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
|
|
1581
|
-
res.setHeader('X-XSS-Protection', '1; mode=block');
|
|
1582
|
-
res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
|
|
1583
|
-
// Strict-Transport-Security only makes sense over HTTPS; skip for plain HTTP
|
|
1584
|
-
// so local dev doesn't pin an HSTS policy on localhost.
|
|
1585
1584
|
if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
|
|
1586
1585
|
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
|
1587
1586
|
}
|
|
1588
|
-
// CSP for the SPA shell — relaxed for self-hosted tool accessed from
|
|
1589
|
-
// various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
|
|
1590
|
-
// ws:/wss: in connect-src allows WebSocket from any origin (IP access).
|
|
1591
|
-
res.setHeader('Content-Security-Policy', [
|
|
1592
|
-
"default-src 'self'",
|
|
1593
|
-
"script-src 'self' 'unsafe-inline' 'unsafe-eval'",
|
|
1594
|
-
"style-src 'self' 'unsafe-inline'",
|
|
1595
|
-
"img-src 'self' data: blob: https:",
|
|
1596
|
-
"font-src 'self' data:",
|
|
1597
|
-
"connect-src 'self' ws: wss: http: https:",
|
|
1598
|
-
"frame-ancestors 'self'",
|
|
1599
|
-
"base-uri 'self'",
|
|
1600
|
-
"form-action 'self'",
|
|
1601
|
-
].join('; '));
|
|
1602
1587
|
next();
|
|
1603
1588
|
});
|
|
1604
1589
|
app.use(express.json({
|