@pixelbyte-software/pixcode 1.54.6 → 1.54.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pixelbyte-software/pixcode",
3
- "version": "1.54.6",
3
+ "version": "1.54.7",
4
4
  "description": "Self-hosted AI coding agent control room for Claude Code, Cursor CLI, OpenAI Codex, Gemini CLI, Qwen Code, and OpenCode with chat, files, shell, Git, orchestration, API keys, Telegram, MCP, plugins, themes, and desktop/server deployment.",
5
5
  "type": "module",
6
6
  "main": "dist-server/server/index.js",
package/server/index.js CHANGED
@@ -1756,32 +1756,17 @@ app.use(cors({
1756
1756
  exposedHeaders: ['X-Refreshed-Token'],
1757
1757
  }));
1758
1758
 
1759
- // Security headers middleware (replaces helmet which isn't installed).
1759
+ // Security headers kept lightweight for self-hosted tool compatibility.
1760
+ // CSP removed: it blocked Vite inline modulepreload, Google Fonts, and
1761
+ // IP-based WebSocket access. X-Frame-Options + nosniff are the high-value
1762
+ // headers that don't break anything.
1760
1763
  app.use((req, res, next) => {
1761
1764
  res.setHeader('X-Content-Type-Options', 'nosniff');
1762
1765
  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
1763
1766
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
1764
- res.setHeader('X-XSS-Protection', '1; mode=block');
1765
- res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
1766
- // Strict-Transport-Security only makes sense over HTTPS; skip for plain HTTP
1767
- // so local dev doesn't pin an HSTS policy on localhost.
1768
1767
  if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
1769
1768
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
1770
1769
  }
1771
- // CSP for the SPA shell — relaxed for self-hosted tool accessed from
1772
- // various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
1773
- // ws:/wss: in connect-src allows WebSocket from any origin (IP access).
1774
- res.setHeader('Content-Security-Policy', [
1775
- "default-src 'self'",
1776
- "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
1777
- "style-src 'self' 'unsafe-inline'",
1778
- "img-src 'self' data: blob: https:",
1779
- "font-src 'self' data:",
1780
- "connect-src 'self' ws: wss: http: https:",
1781
- "frame-ancestors 'self'",
1782
- "base-uri 'self'",
1783
- "form-action 'self'",
1784
- ].join('; '));
1785
1770
  next();
1786
1771
  });
1787
1772