mirror of
https://github.com/outline/outline.git
synced 2026-06-13 11:25:03 +03:00
Tom Moor
ae5cd6a159
* fix: Allow service worker to load on custom domains Add explicit worker-src 'self' so the service worker can register on team custom domains. Without it, browsers fall back to script-src which only lists env.URL and env.CDN_URL, blocking /static/sw.js on hosts like docs.getoutline.com. * fix: Switch worker-src approach to script-src 'self' for type safety The @types/koa-helmet definitions don't include workerSrc. Add 'self' to script-src instead — worker-src falls back to script-src per spec, and 'self' matches the document origin on custom domains. * fix: Properly add worker-src directive without script-src widening Extract the CSP directives to a local variable so workerSrc can be included despite koa-helmet's outdated type definitions missing it (the underlying helmet supports it). Also drop @types/koa-helmet since the package now ships its own (equivalent) types.