@pixelbyte-software/pixcode 1.54.6 → 1.54.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@pixelbyte-software/pixcode",
|
|
3
|
-
"version": "1.54.
|
|
3
|
+
"version": "1.54.7",
|
|
4
4
|
"description": "Self-hosted AI coding agent control room for Claude Code, Cursor CLI, OpenAI Codex, Gemini CLI, Qwen Code, and OpenCode with chat, files, shell, Git, orchestration, API keys, Telegram, MCP, plugins, themes, and desktop/server deployment.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist-server/server/index.js",
|
package/server/index.js
CHANGED
|
@@ -1756,32 +1756,17 @@ app.use(cors({
|
|
|
1756
1756
|
exposedHeaders: ['X-Refreshed-Token'],
|
|
1757
1757
|
}));
|
|
1758
1758
|
|
|
1759
|
-
// Security headers
|
|
1759
|
+
// Security headers — kept lightweight for self-hosted tool compatibility.
|
|
1760
|
+
// CSP removed: it blocked Vite inline modulepreload, Google Fonts, and
|
|
1761
|
+
// IP-based WebSocket access. X-Frame-Options + nosniff are the high-value
|
|
1762
|
+
// headers that don't break anything.
|
|
1760
1763
|
app.use((req, res, next) => {
|
|
1761
1764
|
res.setHeader('X-Content-Type-Options', 'nosniff');
|
|
1762
1765
|
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
|
|
1763
1766
|
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
|
|
1764
|
-
res.setHeader('X-XSS-Protection', '1; mode=block');
|
|
1765
|
-
res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
|
|
1766
|
-
// Strict-Transport-Security only makes sense over HTTPS; skip for plain HTTP
|
|
1767
|
-
// so local dev doesn't pin an HSTS policy on localhost.
|
|
1768
1767
|
if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
|
|
1769
1768
|
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
|
1770
1769
|
}
|
|
1771
|
-
// CSP for the SPA shell — relaxed for self-hosted tool accessed from
|
|
1772
|
-
// various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
|
|
1773
|
-
// ws:/wss: in connect-src allows WebSocket from any origin (IP access).
|
|
1774
|
-
res.setHeader('Content-Security-Policy', [
|
|
1775
|
-
"default-src 'self'",
|
|
1776
|
-
"script-src 'self' 'unsafe-inline' 'unsafe-eval'",
|
|
1777
|
-
"style-src 'self' 'unsafe-inline'",
|
|
1778
|
-
"img-src 'self' data: blob: https:",
|
|
1779
|
-
"font-src 'self' data:",
|
|
1780
|
-
"connect-src 'self' ws: wss: http: https:",
|
|
1781
|
-
"frame-ancestors 'self'",
|
|
1782
|
-
"base-uri 'self'",
|
|
1783
|
-
"form-action 'self'",
|
|
1784
|
-
].join('; '));
|
|
1785
1770
|
next();
|
|
1786
1771
|
});
|
|
1787
1772
|
|