mirror of
https://github.com/screentinker/screentinker.git
synced 2026-05-15 07:32:23 -06:00
8ec33721f7
LOW 1 (notes XSS): device.notes textarea content now goes through esc(). Notes weren't in the sanitizeBody allow-list at write time, so HTML in the field would render unescaped on the device-detail page. LOW 2 (CSP): enabled Helmet contentSecurityPolicy with default-src 'self', script-src 'self', style-src 'self' 'unsafe-inline', plus the data:/blob:/https: image and media sources the player needs. Strict script-src blocks <script> injection; script-src-attr 'unsafe-inline' keeps existing inline onclick handlers working until they can be refactored to addEventListener (TODO comment in code). CSP applies to /app and most other paths. Skipped on the public widget and kiosk render endpoints, the landing page, and /player — those legitimately need inline scripts/styles. upgrade-insecure- requests is explicitly disabled so HTTP-only self-hosted LAN deployments aren't broken. Refactored two inline onclick handlers in index.html to data-close- modal attributes wired by a delegated listener in app.js. Was the only blocker for /app under strict script-src. LOW 3 (CORS): Express CORS now only allows screentinker.com (and subdomains) + localhost in production. SELF_HOSTED=true bypasses the allowlist (operator owns their deployment). Development mode stays open. Same policy applied to the Socket.IO CORS config which was previously origin: '*'. Native clients (Android, server-to-server, kiosk iframes) send no Origin and pass through unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| assets | ||
| css | ||
| js | ||
| legal | ||
| index.html | ||
| landing.html | ||
| manifest.json | ||
| robots.txt | ||
| sitemap.xml | ||
| sw-admin.js | ||