From 8e7d599170b13669ebb438557727f09757b07b40 Mon Sep 17 00:00:00 2001 From: ScreenTinker Date: Mon, 8 Jun 2026 23:46:42 -0500 Subject: [PATCH] fix(widgets): no-store on widget/kiosk render The render had no Cache-Control. A copy cached before the X-Frame-Options fix keeps showing blank, and widget data (clock/weather/rss/directory) is dynamic anyway, so mark the render no-store. Pairs with the X-Frame-Options removal. --- server/routes/kiosk.js | 1 + server/routes/widgets.js | 3 +++ 2 files changed, 4 insertions(+) diff --git a/server/routes/kiosk.js b/server/routes/kiosk.js index bf60d32..f26e1c2 100644 --- a/server/routes/kiosk.js +++ b/server/routes/kiosk.js @@ -183,6 +183,7 @@ router.get('/:id/render', (req, res) => { // Embedded by the player in a sandboxed (null-origin) iframe; the global // X-Frame-Options: SAMEORIGIN would refuse that and leave it blank. res.removeHeader('X-Frame-Options'); + res.setHeader('Cache-Control', 'no-store'); res.setHeader('Content-Type', 'text/html'); res.send(html); }); diff --git a/server/routes/widgets.js b/server/routes/widgets.js index 119abcd..cfaee15 100644 --- a/server/routes/widgets.js +++ b/server/routes/widgets.js @@ -189,6 +189,9 @@ router.get('/:id/render', (req, res) => { // widgets render blank in the web player. Drop it here; the sandbox - not // X-Frame-Options - is what isolates the widget (it can't read the dashboard JWT). res.removeHeader('X-Frame-Options'); + // Never cache the render: widget data (clock/weather/rss/directory) changes, and + // a cached copy from before the X-Frame-Options change would keep showing blank. + res.setHeader('Cache-Control', 'no-store'); res.setHeader('Content-Type', 'text/html'); res.send(renderWidgetHtml(widget.widget_type, config)); });