Dorian 2bfc36baa0 fix: restrict CORS to same-origin with explicit origin validation ...

Replace blanket cors_origin() with validate_origin() that checks the
incoming Origin header against allowed origins (host IP + dev server).
Unknown origins no longer receive Access-Control-Allow-Origin headers.
Also added X-CSRF-Token to allowed CORS headers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-11 00:53:51 +00:00

..

Old Plans

fix: prevent My Apps crash when installing apps + add filebrowser to demo

2026-03-09 17:09:59 +00:00

pentest

chore: add security pentest reports and remediation plan

2026-03-06 03:08:14 +00:00

loop.sh

chore: add pentest-fix prompt and wire verification into loop.sh

2026-03-06 03:53:36 +00:00

pentest.yaml

chore: add security pentest reports and remediation plan

2026-03-06 03:08:14 +00:00

plan.md

fix: restrict CORS to same-origin with explicit origin validation

2026-03-11 00:53:51 +00:00

prepare.sh

feat: AIUI chat mode integration with iframe, context broker, overnight loop

2026-03-04 12:06:20 +00:00

prompt-pentest-fix.md

chore: add pentest-fix prompt and wire verification into loop.sh

2026-03-06 03:53:36 +00:00

prompt.md

fix: add 6 missing apps to first-boot and fix penpot icon path

2026-03-09 00:18:28 +00:00

testing.md

fix: zero-amount invoices, identity.verify DID extraction, tor service permissions

2026-03-09 09:53:36 +00:00