gooneyryan/hermes-webui
1
0
Fork 0
mirror of https://github.com/nesquena/hermes-webui.git synced 2026-05-27 12:10:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ed2bd18186920458bb09a43ac1599b060a7ddbc9
hermes-webui/api
T
History
Nathan Esquenazi 4c798e4313 fix(security): CSP sandbox header for inline HTML preview 
The iframe sandbox="allow-scripts" attribute on previewHtmlIframe only
applies when HTML is loaded INSIDE that iframe. A user tricked into
opening /api/file/raw?path=evil.html&inline=1 directly in a top-level
tab (e.g. via a chat link) would render the HTML in the WebUI's origin
without any sandbox, giving the page full access to cookies and
localStorage.

Server-side Content-Security-Policy: sandbox allow-scripts mirrors the
iframe sandbox exactly: scripts run, but the document is treated as a
unique opaque origin (no allow-same-origin) and cannot read WebUI
cookies, localStorage, or postMessage to the parent regardless of how
the URL is accessed.

Added test_inline_html_response_sets_csp_sandbox to pin the header.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 21:22:41 +00:00
..
__init__.py
Hermes Web UI — Sprints 11-14: multi-provider models, settings, session QoL, alerts, polish
2026-03-31 07:02:47 +00:00
agent_sessions.py
v0.50.207: batch of 10 PRs — TPS stat, SSE guard, session polish, cron UX, folder create, model errors, session speed, title gen (#1031)
2026-04-25 13:07:35 -07:00
auth.py
fix(auth): persist sessions across restarts via STATE_DIR/.sessions.json (#962)
2026-04-24 11:21:41 -07:00
background.py
feat(commands): /background, /btw slash commands + undo button + reasoning chip
2026-04-24 01:24:51 +00:00
clarify.py
feat: harden clarify dialog flow and refresh recovery
2026-04-15 13:10:50 +08:00
commands.py
feat: slash command parity + skill autocomplete — v0.50.91 (PR #711)
2026-04-19 05:37:44 +00:00
config.py
fix(config): add .venv discovery paths in _discover_python (#949)
2026-04-24 10:45:23 -07:00
gateway_watcher.py
v0.50.207: batch of 10 PRs — TPS stat, SSE guard, session polish, cron UX, folder create, model errors, session speed, title gen (#1031)
2026-04-25 13:07:35 -07:00
helpers.py
feat(queue): Codex-style message queue flyout above composer (#1040)
2026-04-25 14:21:50 -07:00
metering.py
v0.50.207: batch of 10 PRs — TPS stat, SSE guard, session polish, cron UX, folder create, model errors, session speed, title gen (#1031)
2026-04-25 13:07:35 -07:00
models.py
v0.50.207: batch of 10 PRs — TPS stat, SSE guard, session polish, cron UX, folder create, model errors, session speed, title gen (#1031)
2026-04-25 13:07:35 -07:00
onboarding.py
fix(onboarding): correct stale model defaults for specialized providers
2026-04-25 21:22:41 +00:00
profiles.py
fix(profiles): complete profile isolation via cookie + thread-local (#805)
2026-04-21 17:04:11 +00:00
providers.py
fix(ci): eliminate test_set_key flakiness — v0.50.161
2026-04-23 02:09:37 +00:00
routes.py
fix(security): CSP sandbox header for inline HTML preview
2026-04-25 21:22:41 +00:00
session_ops.py
fix: harden session persistence and per-session lock handling during streaming (v0.50.175, #910) (#910)
2026-04-23 14:25:43 -07:00
startup.py
fix(security): gate auto-install behind HERMES_WEBUI_AUTO_INSTALL=1 — v0.50.156
2026-04-22 20:49:28 +00:00
state_sync.py
security: bandit fixes B310/B324/B110 + QuietHTTPServer (#354)
2026-04-13 11:11:56 -07:00
streaming.py
v0.50.207: batch of 10 PRs — TPS stat, SSE guard, session polish, cron UX, folder create, model errors, session speed, title gen (#1031)
2026-04-25 13:07:35 -07:00
updates.py
fix: update banner — conflict recovery path + server self-restart after update (#816)
2026-04-21 17:10:41 -07:00
upload.py
v0.50.25: mobile scroll, import timestamps, profile security, mic fallback (#404)
2026-04-13 22:11:45 -07:00
workspace.py
fix(workspace): allow adding external paths not under home directory (#991)
2026-04-24 13:04:36 -07:00