LibreChat/client
Dustin Healy 39a06f43f4 fix(mcp): restrict sandbox form submissions to the declared egress
form-action does not fall back to default-src, so with the inner iframe created
allow-forms a script could submit a hidden form to any origin and bypass the
connectDomains deny-by-default egress policy. The generated sandbox CSP now sets
form-action to the same declared connect allowlist ('none' when none is set).
2026-06-24 08:30:06 -07:00
..
public fix(mcp): restrict sandbox form submissions to the declared egress 2026-06-24 08:30:06 -07:00
scripts
src fix(mcp): resolve config and credential context for app follow-up requests 2026-06-24 08:13:32 -07:00
sw 🛟 fix: Auto-Recover from Stale Service Worker Assets After Deploys (#13686) 2026-06-11 11:57:06 -04:00
test
babel.config.cjs
check_updates.sh
index.html 🛟 fix: Auto-Recover from Stale Service Worker Assets After Deploys (#13686) 2026-06-11 11:57:06 -04:00
jest.config.cjs feat: MCP Apps support (squashed for rebase) 2026-06-21 23:55:17 -07:00
nginx.conf
package.json refactor: replace @mcp-ui/client with @modelcontextprotocol/ext-apps/app-bridge 2026-06-23 13:55:56 -07:00
postcss.config.cjs
tailwind.config.cjs
tsconfig.json 👷 ci: Type-check the Client Workspace (#13560) 2026-06-06 18:40:31 -04:00
vite.config.ts 🛟 fix: Auto-Recover from Stale Service Worker Assets After Deploys (#13686) 2026-06-11 11:57:06 -04:00