Archive/screentinker
1
0
Fork 0
mirror of https://github.com/screentinker/screentinker.git synced 2026-06-18 20:22:42 -06:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
screentinker/server
History
ScreenTinker 827b1c4c87 fix(widgets): make widget/kiosk render frameable (X-Frame-Options) 
The web player embeds widget/kiosk renders in a sandboxed (allow-scripts, no
allow-same-origin) iframe = a null origin. The global helmet X-Frame-Options:
SAMEORIGIN refuses that (null != same-origin), so every widget rendered blank in
the web player (video worked since it isn't an iframe). Drop X-Frame-Options on
just the /render endpoints - the sandbox, not X-Frame-Options, is what isolates
the widget from the dashboard (it still can't read the JWT). Dashboard keeps its
clickjacking protection. Verified: directory board now renders in a sandboxed
iframe with no refusal.
2026-06-08 23:36:53 -05:00
..
config fix: log real client IPs through Cloudflare instead of CF edge 2026-05-07 15:26:37 -05:00
db fix(db): cascade tenant resources on workspace/org delete (#18 follow-up) 2026-06-08 16:01:52 -05:00
lib fix(security): patch quick-win findings from the codebase review 2026-06-08 19:02:19 -05:00
middleware fix(security): patch quick-win findings from the codebase review 2026-06-08 19:02:19 -05:00
player fix(player-web): independent per-zone rotation in multi-zone layouts 2026-06-08 23:12:29 -05:00
routes fix(widgets): make widget/kiosk render frameable (X-Frame-Options) 2026-06-08 23:36:53 -05:00
services feat(signup): T+3 activation nudge for users with zero paired screens 2026-05-30 20:28:24 -05:00
test fix(security): sanitize public widget render to close stored XSS 2026-06-08 19:11:14 -05:00
ws feat(debug): live per-device debug logging toggle on the device screen 2026-06-08 21:49:03 -05:00
.gitignore feat(email): Microsoft Graph send + alert spam protection + preferences UI 2026-05-12 18:16:40 -05:00
config.js feat(signup): optional org-on-create for self-service signups (#12) 2026-06-05 11:16:27 -05:00
package-lock.json feat(email): Microsoft Graph send + alert spam protection + preferences UI 2026-05-12 18:16:40 -05:00
package.json test(admin): node:test coverage for Add User + role gating 2026-06-05 11:23:06 -05:00
server.js fix(security): patch quick-win findings from the codebase review 2026-06-08 19:02:19 -05:00