You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: proxy provider-display-config icons through the API
Add GET /admin/api/v1/provider-display-configs/{provider_key}/icon, a
server-side proxy that fetches the operator-set icon URL and streams the
bytes back to the browser under the same origin as the dashboard.
The motivation is the dashboard's Content-Security-Policy. `icon` URLs in
provider_display_configs are operator-pasted and span many external hosts
(npmmirror, simpleicons, Wikipedia, GitHub avatars, Webflow CDNs, ...) that
change as new providers are added. Enumerating each host in `img-src` is
a treadmill; the alternative — widening `img-src` to allow any HTTPS
origin — loosens CSP for every image load. Routing icons through this
endpoint means the browser only ever loads them from `'self'`, so `img-src`
can stay tight regardless of where operators source their logos.
Safety on the upstream fetch:
- only `https://` URLs are proxied; relative paths / registry-key shortcuts
return 404 and stay handled client-side
- 5 s total timeout
- 2 MiB body cap, enforced while streaming
- 3-redirect limit
- upstream `Content-Type` must start with `image/`; the bytes are returned
with that exact type and a 1 h `Cache-Control`
Follow-ups (separate PRs):
- app-doubleword-private: SPA renders icons via this endpoint
- internal: once both ship, tighten the CSP `img-src` back to
'self' data: blob:'
description = "Fetches the operator-set icon URL server-side and streams it back. Lets the SPA keep a tight CSP regardless of where the icon URL points.",
330
+
params(("provider_key" = String,Path)),
331
+
responses(
332
+
(status = 200, description = "Icon bytes"),
333
+
(status = 404, description = "Provider or icon not found / not proxyable"),
0 commit comments