mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-01 20:01:35 +00:00
The previous approach derived trustedOrigin from document.referrer at startup and fell back to '*' when referrer was empty, with a lazy-set from the first incoming message as a further fallback. Both paths leave a window where notifyReady broadcasts to all frames or the origin can be set by an untrusted first message. The sandbox is always served same-origin with LibreChat (/api/mcp/sandbox), so window.location.origin is always the exact parent origin. This replaces the referrer parse and lazy-set entirely: trustedOrigin is a const set at parse time, notifyReady uses it directly, and the message handler rejects any message whose origin does not match without fallback. |
||
|---|---|---|
| .. | ||
| public | ||
| scripts | ||
| src | ||
| sw | ||
| test | ||
| babel.config.cjs | ||
| check_updates.sh | ||
| index.html | ||
| jest.config.cjs | ||
| nginx.conf | ||
| package.json | ||
| postcss.config.cjs | ||
| tailwind.config.cjs | ||
| tsconfig.json | ||
| vite.config.ts | ||