eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(pro): CSP allow Turnstile + use same-origin API calls (#1155)

Browse Source 
- Add challenges.cloudflare.com to script-src and frame-src in CSP
- Use same-origin /register-interest instead of cross-origin api.worldmonitor.app
  (avoids CORS preflight failures when served from www.worldmonitor.app)
- Rebuild pro page bundle with the fix
This commit is contained in:
Elie Habib
2026-03-07 07:18:43 +04:00
committed by GitHub
parent dd057bbdfc
commit d82c29472a
4 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pro-test/src/App.tsx
View File

@@ -8,7 +8,7 @@ import {
Cable, Wifi, MapPin, Users, TrendingUp
} from 'lucide-react';
const API_BASE = 'https://api.worldmonitor.app';
const API_BASE = location.hostname === 'localhost' ? 'https://api.worldmonitor.app' : '';
const TURNSTILE_SITE_KEY = '0x4AAAAAACnaYgHIyxclu8Tj';
const PRO_URL = 'https://worldmonitor.app/pro';

2
public/pro/assets/index-Ba8d3DJQ.js → public/pro/assets/index--Jy-bdnT.js
View File

File diff suppressed because one or more lines are too long

2
public/pro/index.html
View File

@@ -78,7 +78,7 @@
}
</script>
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<script type="module" crossorigin src="/pro/assets/index-Ba8d3DJQ.js"></script>
<script type="module" crossorigin src="/pro/assets/index--Jy-bdnT.js"></script>
<link rel="stylesheet" crossorigin href="/pro/assets/index-D2QULaqm.css">
</head>
<body>

2
vercel.json
View File

@@ -22,7 +22,7 @@
{ "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" },
{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(), accelerometer=(), autoplay=(self \"https://www.youtube.com\" \"https://www.youtube-nocookie.com\"), bluetooth=(), display-capture=(), encrypted-media=(self \"https://www.youtube.com\" \"https://www.youtube-nocookie.com\"), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(self \"https://www.youtube.com\" \"https://www.youtube-nocookie.com\"), screen-wake-lock=(), serial=(), usb=(), xr-spatial-tracking=()" },
{ "key": "Content-Security-Policy", "value": "default-src 'self'; connect-src 'self' https: wss: blob: data:; img-src 'self' data: blob: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://www.youtube.com https://static.cloudflareinsights.com https://vercel.live; worker-src 'self' blob:; font-src 'self' data: https:; media-src 'self' data: blob: https:; frame-src 'self' https://worldmonitor.app https://tech.worldmonitor.app https://happy.worldmonitor.app https://www.youtube.com https://www.youtube-nocookie.com; frame-ancestors 'self'; base-uri 'self'; object-src 'none'; form-action 'self'" }
{ "key": "Content-Security-Policy", "value": "default-src 'self'; connect-src 'self' https: wss: blob: data:; img-src 'self' data: blob: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://www.youtube.com https://static.cloudflareinsights.com https://vercel.live https://challenges.cloudflare.com; worker-src 'self' blob:; font-src 'self' data: https:; media-src 'self' data: blob: https:; frame-src 'self' https://worldmonitor.app https://tech.worldmonitor.app https://happy.worldmonitor.app https://www.youtube.com https://www.youtube-nocookie.com https://challenges.cloudflare.com; frame-ancestors 'self'; base-uri 'self'; object-src 'none'; form-action 'self'" }
]
},
{