mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
fix(widget): sandbox connect-src cdn.jsdelivr.net + Sentry CSP/5xx tracking (#2365)
* fix(widget): allow cdn.jsdelivr.net in sandbox CSP + Sentry error tracking - Fix Chart.js source map noise: relax sandbox connect-src from 'none' to https://cdn.jsdelivr.net (both vercel.json header and meta CSP in buildWidgetDoc) - Add Sentry API 5xx capture in premiumFetch via reportServerError() -- fires on any status >= 500 before response is returned, tags kind: api_5xx - Add securitypolicyviolation listener in main.ts for parent-page CSP violations, filters browser-extension and blob origins, tags kind: csp_violation * feat(widget): inject panel design system into PRO widget sandbox Problem: PRO widgets used a disconnected design (large bold titles, custom tab buttons, hardcoded hex colors) because the sandbox iframe had no panel CSS classes and the agent had no examples to follow. Fix: - buildWidgetDoc: add .panel-header, .panel-title, .panel-tabs, .panel-tab, .panel-tab.active, .disp-stats-grid, .disp-stat-box, .disp-stat-value, .disp-stat-label, and --accent CSS variable to the iframe's <style> block so they work without a custom <style> - WIDGET_PRO_SYSTEM_PROMPT: add concrete HTML examples for panel header+tabs, stat boxes, and Chart.js color setup using CSS vars; prohibit h1/h2/h3 large titles; document the switchTab() pattern - Test: assert all panel classes and --accent are present in document Agent now has classes to USE instead of inventing its own styling. * feat(widget-agent): open API allowlist to all /api/ paths with compact taxonomy Problem: widget agent only knew 14 hardcoded endpoints and prioritized search_web even when a WorldMonitor data source was available. - Replace WIDGET_ALLOWED_ENDPOINTS Set with isWidgetEndpointAllowed() function: permits any /api/ path, blocks inference/write endpoints (analyze-stock, backtest-stock, summarize-article, classify-event, etc.) - Replace per-URL endpoint lists in both WIDGET_SYSTEM_PROMPT and WIDGET_PRO_SYSTEM_PROMPT with a compact service-grouped taxonomy: service + method names only, no full URL repeated 60 times (~400 tokens vs ~1200 for 4x more endpoint coverage) - Strengthen prioritization: "ALWAYS use first, ONLY fall back to search_web if no matching service exists" (was "preferred for topics") - Add 30+ new endpoints: earthquakes, wildfires, cyber threats, sanctions, consumer prices, FRED series, BLS, Big Mac, fuel, grocery, ETF flows, shipping rates, chokepoints, critical minerals, GPS interference, etc. * fix(csp): add safari-web-extension: scheme to CSP violation filter
This commit is contained in:
@@ -136,7 +136,7 @@
|
||||
{
|
||||
"source": "/wm-widget-sandbox.html",
|
||||
"headers": [
|
||||
{ "key": "Content-Security-Policy", "value": "default-src 'none'; script-src 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'unsafe-inline'; img-src data:; connect-src 'none';" },
|
||||
{ "key": "Content-Security-Policy", "value": "default-src 'none'; script-src 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'unsafe-inline'; img-src data:; connect-src https://cdn.jsdelivr.net;" },
|
||||
{ "key": "Cache-Control", "value": "public, max-age=86400" }
|
||||
]
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user