Serve HTMX locally - no CDN dependencies

- Added /js/vendor route to serve local vendor JS files - Downloaded htmx.min.js v1.9.10 to botserver-stack/static/js/vendor/ - Reverted CSP to strict 'self' only (no external CDN) - Updated APP_GENERATOR_PROMPT to use /js/vendor/htmx.min.js - Updated designer prompt to use local HTMX path
2026-01-02 17:54:36 -03:00 · 2026-01-02 17:54:36 -03:00 · 2f045bffa5
commit 2f045bffa5
parent 7bad8d50f7
4 changed files with 8 additions and 6 deletions
--- a/src/auto_task/APP_GENERATOR_PROMPT.md
+++ b/src/auto_task/APP_GENERATOR_PROMPT.md
@ -492,8 +492,8 @@ Every HTML page MUST include proper SEO meta tags:
    <title>{Page Title} - {App Name}</title>
    <!-- IMPORTANT: Use relative paths for app assets -->
    <link rel="stylesheet" href="styles.css">
-    <!-- HTMX from CDN - allowed by CSP -->
-    <script src="https://unpkg.com/htmx.org@1.9.10"></script>
+    <!-- HTMX served locally - NO external CDN -->
+    <script src="/js/vendor/htmx.min.js"></script>
    <script src="designer.js" defer></script>
 </head>
 ```
--- a/src/designer/mod.rs
+++ b/src/designer/mod.rs
@ -1144,7 +1144,7 @@ Guidelines:
 - Forms should use hx-post for submissions
 - Lists should use hx-get with pagination
 - IMPORTANT: Use RELATIVE paths for app assets (styles.css, app.js, NOT /static/styles.css)
- For HTMX, use CDN: <script src="https://unpkg.com/htmx.org@1.9.10"></script>
+- For HTMX, use LOCAL: <script src="/js/vendor/htmx.min.js"></script> (NO external CDN)
 - CSS link should be: <link rel="stylesheet" href="styles.css">

 Respond with valid JSON only."#,
--- a/src/main.rs
+++ b/src/main.rs
@ -314,6 +314,8 @@ async fn run_axum_server(
            auth_config.clone(),
            auth_middleware,
        ))
+        // Vendor JS files (htmx, etc.) served locally - no CDN
+        .nest_service("/js/vendor", ServeDir::new("./botserver-stack/static/js/vendor"))
        // Static files fallback for legacy /apps/* paths
        .nest_service("/static", ServeDir::new(&site_path))
        // Security middleware stack (order matters - first added is outermost)
--- a/src/security/headers.rs
+++ b/src/security/headers.rs
@ -24,10 +24,10 @@ impl Default for SecurityHeadersConfig {
        Self {
            content_security_policy: Some(
                "default-src 'self'; \
-                 script-src 'self' 'unsafe-inline' 'unsafe-eval' https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; \
-                 style-src 'self' 'unsafe-inline' https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://fonts.googleapis.com; \
+                 script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
+                 style-src 'self' 'unsafe-inline'; \
                 img-src 'self' data: https:; \
-                 font-src 'self' data: https://fonts.gstatic.com; \
+                 font-src 'self' data:; \
                 connect-src 'self' wss: https:; \
                 frame-ancestors 'self'; \
                 base-uri 'self'; \