Skip to content

Replace codetabs with first-party proxy #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SirajChokshi merged 8 commits into from
Apr 6, 2026
Merged

Replace codetabs with first-party proxy #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
7a793dc
Add first-party proxy route with CORS and target allowlist
cursoragent Apr 6, 2026
2b88382
Refine proxy checks and ignore Vercel output
cursoragent Apr 6, 2026
384cffa
Fix SSR logger import and ignore Vercel build output in lint
cursoragent Apr 6, 2026
c99837d
Tighten GitLab raw path validation for file segment
cursoragent Apr 6, 2026
6eb3448
Merge main into feature branch and resolve logger conflict
cursoragent Apr 6, 2026
aa0bc52
Fix: don't fall back to permissive defaults when all configured origi…
SirajChokshi Apr 6, 2026
8176d83
Harden proxy responses against same-origin HTML execution
cursoragent Apr 6, 2026
e526076
Merge branch 'cursor/-bc-1df83f69-aca0-4717-9d91-b3109ce612ef-8fcd' o…
cursoragent Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ node_modules
.env
.env.*
!.env.example
/.vercel
2 changes: 1 addition & 1 deletion AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,6 @@
- The `prepare` script (`svelte-kit sync`) runs automatically during `npm install`. If you see import errors for `$app/*` modules, re-run `npm install`.
- The dev server uses Vite's default port **5173**. Pass `--host 0.0.0.0` to expose it outside localhost: `npm run dev -- --host 0.0.0.0`.
- Requires **Node.js >= 24** (`engines` field in `package.json`). Use `nvm use 24` if multiple versions are installed.
- Preview functionality depends on the external CORS proxy `api.codetabs.com`. If previews fail to load, this third-party service may be down.
- Preview functionality uses the internal `/api/proxy` endpoint. Configure `PROXY_ALLOWED_ORIGINS` with deployment origins (comma separated) to restrict CORS.
- `svelte-preprocess` deprecation warnings about "defaults" are expected and harmless.
- The `package-lock.json` uses npm; do not mix with other package managers.
18 changes: 18 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,24 @@ npm i
npm run dev -- --open
```

## Proxy Configuration

Preview fetching now uses the first-party SvelteKit endpoint at `/api/proxy` (instead of `api.codetabs.com`), which requires a server adapter such as Vercel.

To lock down CORS for your deployment domain(s), configure:

```sh
PROXY_ALLOWED_ORIGINS=https://static-preview.vercel.app,http://localhost:5173
```

Security constraints in `/api/proxy`:

- only proxies `https://raw.githubusercontent.com/...` URLs
- only proxies GitLab `https://gitlab.com/.../-/raw/...` URLs
- rejects non-HTTPS targets, query strings, and path traversal
- allows requests only from configured origins (checks `Origin` then `Referer`)
- enforces a max upstream payload size of 5 MiB

## Testing

We use [Jest](https://jestjs.io/) for unit testing. Only URL parsing is tested to prevent regressions.
Expand Down
1 change: 1 addition & 0 deletions eslint.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ export default [
'.DS_Store',
'node_modules/**',
'build/**',
'.vercel/**',
'.svelte-kit/**',
'package/**',
'.env',
Expand Down
Loading
Loading