gooneyryan/hermes-webui
1
0
Fork 0
mirror of https://github.com/nesquena/hermes-webui.git synced 2026-05-26 11:40:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
1448f42b5ffb0f3e55680796cfec94529c7aa69f
hermes-webui/api
T
History
Chase Florell 7bf8516529 fix: add cdn.jsdelivr.net to CSP connect-src 
xterm.js, xterm-addon-fit, and xterm-addon-web-links are loaded from
cdn.jsdelivr.net via <script> tags. Their bundled source maps also live
on jsDelivr and are fetched via the connect mechanism (not a script load),
so they fall under connect-src, not script-src.

With connect-src limited to 'self', every browser blocks these fetches
and emits three CSP violation errors in the console whenever DevTools is
open. Adding cdn.jsdelivr.net to connect-src aligns it with script-src,
style-src, and font-src, which already allow that origin.

Adds a regression test following the pattern of test_issue1112_csp_google_fonts.py.

Closes nesquena/hermes-webui#1850
2026-05-07 13:10:20 -07:00
..
__init__.py
Hermes Web UI — Sprints 11-14: multi-provider models, settings, session QoL, alerts, polish
2026-03-31 07:02:47 +00:00
agent_health.py
feat: add agent heartbeat alert
2026-05-05 02:25:06 +00:00
agent_sessions.py
fix: keep cross-surface session continuations visible
2026-05-07 16:58:39 +00:00
auth.py
fix: keep frontend routes under subpath mounts
2026-05-04 00:06:58 -07:00
background.py
feat(commands): /background, /btw slash commands + undo button + reasoning chip
2026-04-24 01:24:51 +00:00
clarify.py
feat(clarify): SSE long-connection for real-time clarify notifications (#1355)
2026-04-30 21:32:51 +00:00
commands.py
feat: slash command parity + skill autocomplete — v0.50.91 (PR #711)
2026-04-19 05:37:44 +00:00
config.py
stage-313 absorb: gate _resolve_configured_provider_id alias resolution + harden bootstrap test isolation
2026-05-07 17:07:48 +00:00
dashboard_probe.py
feat: link official Hermes dashboard
2026-05-05 01:23:55 +00:00
extensions.py
Opus pre-release follow-ups for PR #1445
2026-05-02 03:49:40 +00:00
gateway_watcher.py
release: v0.50.241 (#1293)
2026-04-29 19:54:07 -07:00
helpers.py
fix: add cdn.jsdelivr.net to CSP connect-src
2026-05-07 13:10:20 -07:00
kanban_bridge.py
stage-315 absorb: document handle_kanban_* three-valued return contract
2026-05-07 18:52:01 +00:00
metering.py
fix: show TPS in assistant message headers
2026-05-04 21:26:43 +00:00
models.py
fix: preserve CLI session tool metadata
2026-05-07 02:47:19 +00:00
oauth.py
fix(oauth): serialize Anthropic env fallback reads
2026-05-07 02:47:19 +00:00
onboarding.py
feat: link Claude Code OAuth in onboarding
2026-05-06 06:26:43 +00:00
profiles.py
fix: allow profile switching during active streams
2026-05-06 16:11:46 +00:00
providers.py
Stage 314: PR #1827 — sync Codex provider card models with picker by @Michaelyklam
2026-05-07 17:58:52 +00:00
rollback.py
v0.50.255: Opus follow-ups (4 fixes) + CHANGELOG
2026-05-01 17:19:53 +00:00
routes.py
fix: keep shell route errors html
2026-05-07 18:41:13 +00:00
session_ops.py
Show profile home in /status command (refs #463) (#1380)
2026-05-01 04:46:37 +00:00
session_recovery.py
fix: absorb Opus advisor doc-only SHOULD-FIX nits
2026-05-03 20:54:02 +00:00
startup.py
fix: P0 hotfixes — API regression, code block parser, chmod override
2026-05-01 12:10:48 +00:00
state_sync.py
security: bandit fixes B310/B324/B110 + QuietHTTPServer (#354)
2026-04-13 11:11:56 -07:00
streaming.py
fix: show auto-compression running state
2026-05-07 18:41:13 +00:00
system_health.py
feat: add VPS resource health panel
2026-05-05 17:30:56 +00:00
terminal.py
absorb: address Opus review findings (security + correctness)
2026-04-29 05:06:34 +00:00
updates.py
fix: normalize update banner repository URLs
2026-05-05 08:29:00 -07:00
upload.py
Merge remote-tracking branch 'refs/remotes/pr/1229' into stage/batch-v0.50.238
2026-04-29 15:17:57 +00:00
workspace.py
fix: preserve inaccessible workspace entries
2026-05-07 16:56:48 +00:00