gooneyryan/hermes-webui
1
0
Fork 0
mirror of https://github.com/nesquena/hermes-webui.git synced 2026-05-26 03:30:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
96ca83bf539de98ec40b0461ba227199a2f486df
hermes-webui/tests/test_issue1112_csp_google_fonts.py
T
nesquena-hermes fc0152b2fc v0.50.223: model picker, idle retry, drag-drop, CSP, clipboard copy (#1127) 
* fix(#604): model picker shows all configured providers

Two fixes to ensure the model picker surface every provider a user has
configured:

1. Added env var detection for XAI_API_KEY (→ x-ai) and MISTRAL_API_KEY
   (→ mistralai). Previously these providers were only detectable via
   hermes auth or credential pool, not via environment variables.

2. Added config.yaml providers section scanning. Users who configure
   providers in config.yaml (e.g. providers.anthropic.api_key) without
   setting the corresponding env var will now see those providers in the
   model picker. Only providers with known model catalogs are added.

- Added 12 regression tests

* fix(#1112): allow Google Fonts in CSP style-src and font-src

Mermaid themes inject @import for fonts.googleapis.com at render time.
CSP style-src blocked these requests, causing console violations.

- Add https://fonts.googleapis.com to style-src (CSS stylesheets)
- Add https://fonts.gstatic.com to font-src (WOFF2/WOFF font files)
- Add 3 regression tests + verify existing CSP tests still pass

* fix(#1118): retry api() calls on network errors after long idle

After a long idle period, the browser's TCP keep-alive connection to the
server can become stale. The next fetch() throws a TypeError (network
failure), causing 'Failed to load session' instead of transparently
reconnecting.

- Added retry loop in api() (workspace.js): up to 3 attempts
- Only retries on TypeError (network failures), NOT on HTTP errors (4xx/5xx)
- 401 redirects still fire immediately
- Added 6 regression tests

* feat(#1116): composer placeholder reflects active profile name

When a named profile is active (not 'default'), the composer placeholder
and title bar show the profile name (capitalised) instead of the global
bot_name. Falls back to bot_name/'Hermes' for the default profile.

- boot.js: applyBotName() checks S.activeProfile before _botName
- panels.js: switchToProfile() calls applyBotName() after switch
- Added 5 regression tests

* feat(#1097): drag and drop workspace files into chat composer

Files and folders in the workspace file tree are now draggable.
Dropping them into the composer inserts @path reference at cursor
position. OS file drag-and-drop (attach files) still works.

- ui.js: _renderTreeItems sets draggable + dragstart with ws-path
- panels.js: drop handler checks for application/ws-path first,
  inserts @path with smart spacing and cursor positioning
- Added 9 regression tests

* fix(#1096): copy buttons work — add clipboard-write Permissions-Policy

Copy buttons on messages and code blocks were silently failing because
the Permissions-Policy header did not include clipboard-write=(self).
Firefox blocks navigator.clipboard.writeText() without explicit permission.

- api/helpers.py: add clipboard-write=(self) to Permissions-Policy
- ui.js: _copyText now catches clipboard API errors and falls back
  to execCommand('copy'). _fallbackCopy extracted as separate function
  with proper focus() call and visible-but-hidden positioning (not -9999px)
- Added 8 regression tests

* chore: CHANGELOG for v0.50.223

---------

Co-authored-by: bergeouss <bergeouss@users.noreply.github.com>
Co-authored-by: nesquena-hermes <nesquena-hermes@users.noreply.github.com>
2026-04-26 15:29:02 -07:00

50 lines
2.1 KiB
Python
Raw Blame History

"""Tests for #1112 — CSP allows Google Fonts stylesheet and font files."""
import re
def _helpers_src() -> str:
with open("api/helpers.py") as f:
return f.read()
class TestCSPGoogleFonts:
"""style-src and font-src must allow fonts.googleapis.com / fonts.gstatic.com."""
def test_style_src_includes_google_fonts(self):
"""style-src must include https://fonts.googleapis.com for Google Fonts CSS."""
src = _helpers_src()
assert "https://fonts.googleapis.com" in src, \
"style-src must allow fonts.googleapis.com (Google Fonts stylesheets)"
# Must be in the style-src directive, not accidentally elsewhere
style_match = re.search(r"style-src\s+([^;]+);", src)
assert style_match, "style-src directive must exist"
assert "fonts.googleapis.com" in style_match.group(1), \
"fonts.googleapis.com must be in style-src directive"
def test_font_src_includes_fonts_gstatic(self):
"""font-src must include https://fonts.gstatic.com for Google Font files."""
src = _helpers_src()
assert "https://fonts.gstatic.com" in src, \
"font-src must allow fonts.gstatic.com (Google Font WOFF2/WOFF files)"
# Must be in the font-src directive
font_match = re.search(r"font-src\s+([^;]+);", src)
assert font_match, "font-src directive must exist"
assert "fonts.gstatic.com" in font_match.group(1), \
"fonts.gstatic.com must be in font-src directive"
def test_existing_csp_directives_preserved(self):
"""All pre-existing CSP directives must still be present after the fix."""
src = _helpers_src()
for directive in (
"default-src 'self'",
"script-src 'self' 'unsafe-inline'",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data:",
"font-src 'self' data:",
"connect-src 'self'",
"manifest-src 'self'",
"base-uri 'self'",
"form-action 'self'",
):
assert directive in src, f"CSP must still contain: {directive}"
Reference in New Issue View Git Blame Copy Permalink