mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-05-22 10:20:14 +00:00
nesquena-hermes
96ca83bf53
Opus stage-339 review SHOULD-FIX items: 1. server.py: drop 'unsafe-eval' from CSP report-only policy. Verified by grepping all production JS — zero matches for eval(), new Function(), or string-form setTimeout/setInterval. Keeping it was a gratuitous privilege. 2. server.py: add https://cdn.jsdelivr.net to script-src + style-src. index.html loads Prism/xterm/katex from this CDN with SRI hashes — without the allowance every page load fires known-good CSP violations that drown out real signal once a collector is wired. 3. api/commands.py: sanitize plugin command error. Previously returned f'Plugin command error: {exc}' which would leak paths/env from FileNotFoundError('/etc/something/secret.key') etc. Now returns only the exception type name; full traceback goes to server log. Test asserts updated to match the new policy shape. Co-authored-by: Opus advisor <opus-advisor@hermes.local>