GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions

Serve HTMX locally - no CDN dependencies

Browse source 
- Added /js/vendor route to serve local vendor JS files
- Downloaded htmx.min.js v1.9.10 to botserver-stack/static/js/vendor/
- Reverted CSP to strict 'self' only (no external CDN)
- Updated APP_GENERATOR_PROMPT to use /js/vendor/htmx.min.js
- Updated designer prompt to use local HTMX path
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2026-01-02 17:54:36 -03:00
parent 7bad8d50f7
commit 2f045bffa5
4 changed files with 8 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/auto_task/APP_GENERATOR_PROMPT.md
View file

@ -492,8 +492,8 @@ Every HTML page MUST include proper SEO meta tags:
<title>{Page Title} - {App Name}</title> <title>{Page Title} - {App Name}</title>
<!-- IMPORTANT: Use relative paths for app assets --> <!-- IMPORTANT: Use relative paths for app assets -->
<link rel="stylesheet" href="styles.css"> <link rel="stylesheet" href="styles.css">
<!-- HTMX from CDN - allowed by CSP --> <!-- HTMX served locally - NO external CDN -->
<script src="https://unpkg.com/htmx.org@1.9.10"></script> <script src="/js/vendor/htmx.min.js"></script>
<script src="designer.js" defer></script> <script src="designer.js" defer></script>
</head> </head>
``` ```

2
src/designer/mod.rs
View file

@ -1144,7 +1144,7 @@ Guidelines:
- Forms should use hx-post for submissions - Forms should use hx-post for submissions
- Lists should use hx-get with pagination - Lists should use hx-get with pagination
- IMPORTANT: Use RELATIVE paths for app assets (styles.css, app.js, NOT /static/styles.css) - IMPORTANT: Use RELATIVE paths for app assets (styles.css, app.js, NOT /static/styles.css)
- For HTMX, use CDN: <script src="https://unpkg.com/htmx.org@1.9.10"></script> - For HTMX, use LOCAL: <script src="/js/vendor/htmx.min.js"></script> (NO external CDN)
- CSS link should be: <link rel="stylesheet" href="styles.css"> - CSS link should be: <link rel="stylesheet" href="styles.css">
Respond with valid JSON only."#, Respond with valid JSON only."#,

2
src/main.rs
View file

@ -314,6 +314,8 @@ async fn run_axum_server(
auth_config.clone(), auth_config.clone(),
auth_middleware, auth_middleware,
)) ))
// Vendor JS files (htmx, etc.) served locally - no CDN
.nest_service("/js/vendor", ServeDir::new("./botserver-stack/static/js/vendor"))
// Static files fallback for legacy /apps/* paths // Static files fallback for legacy /apps/* paths
.nest_service("/static", ServeDir::new(&site_path)) .nest_service("/static", ServeDir::new(&site_path))
// Security middleware stack (order matters - first added is outermost) // Security middleware stack (order matters - first added is outermost)

6
src/security/headers.rs
View file

@ -24,10 +24,10 @@ impl Default for SecurityHeadersConfig {
Self { Self {
content_security_policy: Some( content_security_policy: Some(
"default-src 'self'; \ "default-src 'self'; \
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; \ script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
style-src 'self' 'unsafe-inline' https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://fonts.googleapis.com; \ style-src 'self' 'unsafe-inline'; \
img-src 'self' data: https:; \ img-src 'self' data: https:; \
font-src 'self' data: https://fonts.gstatic.com; \ font-src 'self' data:; \
connect-src 'self' wss: https:; \ connect-src 'self' wss: https:; \
frame-ancestors 'self'; \ frame-ancestors 'self'; \
base-uri 'self'; \ base-uri 'self'; \