webui

Sabo/webui

Files

nesquena-hermes cc8cbc4d3f fix(security): add unsafe-inline and CDN allowlist to CSP script-src (#209 )

The CSP script-src 'self' policy blocked all inline onclick= event handlers
in index.html (55+ handlers including toggleSettings(), switchPanel(),
filterSessions() etc.), making the settings panel, sidebar navigation, and
most interactive UI elements non-functional.

Also restores https://cdn.jsdelivr.net to both script-src and style-src
(required for Mermaid.js dynamic load in ui.js and Prism.js static load
in index.html). This was present in the original PR #197 merge but was
dropped in the v0.42.1 commit.

script-src additions:
- 'unsafe-inline': required for onclick=/oninput=/onchange= attributes
- https://cdn.jsdelivr.net: Mermaid (dynamic) and Prism (static with SRI)

style-src: retains 'unsafe-inline' + cdn.jsdelivr.net (Prism CSS)

Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>

2026-04-09 19:07:51 -07:00

__init__.py

Hermes Web UI — Sprints 11-14: multi-provider models, settings, session QoL, alerts, polish

2026-03-31 07:02:47 +00:00

auth.py

fix(auth): prune expired sessions on every verify to prevent memory leak (#196 )

2026-04-09 18:05:23 -07:00

config.py

fix: do not build phantom Custom group when active provider is set (#206 )

2026-04-09 18:33:24 -07:00

helpers.py

fix(security): add unsafe-inline and CDN allowlist to CSP script-src (#209 )