Review feedback: the original guard substring-searched the whole file after the first "csp" token, which (a) false-passes if any unrelated JSON value elsewhere in the config happens to contain a localhost URL and (b) false-fails if the CSP is ever re-serialised with escaped forward slashes. Switches to serde_json + a /app/security/csp pointer lookup, then splits the CSP on ';', finds the connect-src directive, tokenises its allow-list on whitespace, and requires an exact match for both http://127.0.0.1:* and ws://127.0.0.1:*. The error now also includes the current connect-src value so a developer who breaks it can see exactly what needs restoring.
2.8 KiB
2.8 KiB