LibreChat/client/public
Dustin Healy ac2812ba2f fix(mcp): use window.location.origin as trusted sandbox origin
The previous approach derived trustedOrigin from document.referrer at
startup and fell back to '*' when referrer was empty, with a lazy-set
from the first incoming message as a further fallback. Both paths leave
a window where notifyReady broadcasts to all frames or the origin can
be set by an untrusted first message.

The sandbox is always served same-origin with LibreChat (/api/mcp/sandbox),
so window.location.origin is always the exact parent origin. This replaces
the referrer parse and lazy-set entirely: trustedOrigin is a const set at
parse time, notifyReady uses it directly, and the message handler rejects
any message whose origin does not match without fallback.
2026-06-23 18:47:28 -07:00
..
assets 🎨 chore: Update Agent Tool with new SVG assets (#12065) 2026-03-04 09:28:19 -05:00
fonts fix: necessary font changes (#1818) 2024-02-16 14:15:05 -05:00
mcp-sandbox.html fix(mcp): use window.location.origin as trusted sandbox origin 2026-06-23 18:47:28 -07:00
robots.txt 🌟 feat: Enhance User Experience and SEO with Accessibility Updates and robots.txt (#5392) 2025-02-22 17:42:20 -05:00