@pixelbyte-software/pixcode 1.54.6 → 1.54.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.html CHANGED
@@ -35,7 +35,7 @@
35
35
 
36
36
  <!-- Prevent zoom on iOS -->
37
37
  <meta name="format-detection" content="telephone=no" />
38
- <script type="module" crossorigin src="/assets/index-DJ_KIN2W.js"></script>
38
+ <script type="module" crossorigin src="/assets/index-D-4VRH1a.js"></script>
39
39
  <link rel="modulepreload" crossorigin href="/assets/vendor-react-DB6V5Fl1.js">
40
40
  <link rel="modulepreload" crossorigin href="/assets/vendor-codemirror-CIYNS698.js">
41
41
  <link rel="modulepreload" crossorigin href="/assets/vendor-xterm-C7tpxJl7.js">
@@ -1573,32 +1573,17 @@ app.use(cors({
1573
1573
  credentials: true,
1574
1574
  exposedHeaders: ['X-Refreshed-Token'],
1575
1575
  }));
1576
- // Security headers middleware (replaces helmet which isn't installed).
1576
+ // Security headers kept lightweight for self-hosted tool compatibility.
1577
+ // CSP removed: it blocked Vite inline modulepreload, Google Fonts, and
1578
+ // IP-based WebSocket access. X-Frame-Options + nosniff are the high-value
1579
+ // headers that don't break anything.
1577
1580
  app.use((req, res, next) => {
1578
1581
  res.setHeader('X-Content-Type-Options', 'nosniff');
1579
1582
  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
1580
1583
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
1581
- res.setHeader('X-XSS-Protection', '1; mode=block');
1582
- res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
1583
- // Strict-Transport-Security only makes sense over HTTPS; skip for plain HTTP
1584
- // so local dev doesn't pin an HSTS policy on localhost.
1585
1584
  if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
1586
1585
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
1587
1586
  }
1588
- // CSP for the SPA shell — relaxed for self-hosted tool accessed from
1589
- // various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
1590
- // ws:/wss: in connect-src allows WebSocket from any origin (IP access).
1591
- res.setHeader('Content-Security-Policy', [
1592
- "default-src 'self'",
1593
- "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
1594
- "style-src 'self' 'unsafe-inline'",
1595
- "img-src 'self' data: blob: https:",
1596
- "font-src 'self' data:",
1597
- "connect-src 'self' ws: wss: http: https:",
1598
- "frame-ancestors 'self'",
1599
- "base-uri 'self'",
1600
- "form-action 'self'",
1601
- ].join('; '));
1602
1587
  next();
1603
1588
  });
1604
1589
  app.use(express.json({