basicSsl() removal ; Commenting CSP in index.html for dev

2026-03-06 17:37:51 +08:00 · 2026-02-19 23:39:49 +08:00
parent f1b0c0738e
commit 02f58f5ef0
3 changed files with 30 additions and 9 deletions
--- a/13
+++ b/13
@@ -1,5 +1,16 @@
 /*
-  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'none'; font-src 'self'; object-src 'none'; media-src 'self' blob:; base-uri 'self'; form-action 'none'; frame-ancestors 'none';
+  Cloudflare Pages headers for SeedPGP Web
+  This file must be named _headers at build output root, or in public/_headers,
+  depending on your deployment setup.
+*/
+
+/*
+  Catch-all for the app
+*/
+/
+
+/* Security headers */
+  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self' blob: data:; font-src 'self'; object-src 'none'; media-src 'self' blob:; base-uri 'self'; form-action 'none'; frame-ancestors 'none';
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: no-referrer
--- a/index.html
+++ b/index.html
@@ -8,21 +8,24 @@
  <title>SeedPGP Web</title>

  <!-- Baseline CSP for generic builds.
-       TailsOS builds override this via Makefile (build-tails target). -->
+       TailsOS builds override this via Makefile (build-tails target).
+       Commented out for development to avoid CSP issues with WebAssembly.
  <meta
    http-equiv="Content-Security-Policy"
    content="
      default-src 'self';
-      script-src 'self' 'unsafe-inline';
+      script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' 'unsafe-eval';
      style-src 'self' 'unsafe-inline';
      img-src 'self' data: blob:;
-      connect-src 'self';
+      connect-src 'self' blob: data:;
      font-src 'self';
      object-src 'none';
+      media-src 'self' blob:;
      base-uri 'self';
      form-action 'none';
    "
  />
+  -->
 </head>

 <body>
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -17,8 +17,9 @@ export default defineConfig({
  plugins: [
    wasm(),
    topLevelAwait(),
-    basicSsl(),
    react(),
+    // basicSsl() plugin removed - it was causing MIME type issues with raw imports
+    // Enable only when specifically needed for HTTPS development
    {
      name: 'html-transform',
      transformIndexHtml(html) {
@@ -27,11 +28,17 @@ export default defineConfig({
    }
  ],
  server: {
-    host: '0.0.0.0',
-    port: 5173,
-    strictPort: true,
-    https: true,
+    headers: {
+      'Content-Security-Policy': '',  // Empty CSP for dev
+    },
  },
+
+  preview: {
+    headers: {
+      'Content-Security-Policy': '',  // Empty for preview too
+    },
+  },
+
  resolve: {
    alias: {
      buffer: 'buffer',