Files
Jiang Bohan 8f9cea9226 fix(security): add ws: scheme and dynamic origins to CSP connect-src
The CSP connect-src directive only allowed 'self' and wss:, which
blocks WebSocket connections over ws:// in non-HTTPS environments
(e.g. dev deployments). Also, cross-origin API/WS endpoints were not
covered when frontend and backend are on different origins.

Changes:
- Add ws: alongside wss: in connect-src
- Dynamically inject ALLOWED_ORIGINS into connect-src so cross-origin
  connections are permitted by the policy
- Export BuildCSP / InitCSP for testability and router integration

Closes MUL-667
2026-04-13 14:18:42 +08:00
..