mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-05 21:39:54 +02:00
The CSP connect-src directive only allowed 'self' and wss:, which blocks WebSocket connections over ws:// in non-HTTPS environments (e.g. dev deployments). Also, cross-origin API/WS endpoints were not covered when frontend and backend are on different origins. Changes: - Add ws: alongside wss: in connect-src - Dynamically inject ALLOWED_ORIGINS into connect-src so cross-origin connections are permitted by the policy - Export BuildCSP / InitCSP for testability and router integration Closes MUL-667