mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-10 08:13:46 +00:00
form-action does not fall back to default-src, so with the inner iframe created
allow-forms a script could submit a hidden form to any origin and bypass the
connectDomains deny-by-default egress policy. The generated sandbox CSP now sets
form-action to the same declared connect allowlist ('none' when none is set).
|
||
|---|---|---|
| .. | ||
| assets | ||
| fonts | ||
| mcp-sandbox.html | ||
| robots.txt | ||