imgfloat/server
1
0
Fork 0
mirror of https://github.com/imgfloat/server.git synced 2026-02-05 03:39:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add domain allow-list for script assets

Browse Source
This commit is contained in:
Andreas Krühlmann
2026-01-25 14:01:53 +01:00
parent b115e16f11
commit b57420d727
17 changed files with 634 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -74,11 +74,14 @@ marketplace-scripts/
{
"name": "Script display name",
"description": "Short description",
"allowedDomains": ["api.example.com", "cdn.example.com:8443"]
}
```
Only `name` is required. The folder name is used to identify the marketplace listing; when a script is imported, the asset receives a new generated ID. Media types are inferred from the files on disk. Attachments are loaded from the `attachments/` folder and appear in the imported script's attachments list, referenced by filename (for example `rotate.png`). Attachment filenames must be unique within a script. The logo is optional and remains separate from attachments; if you want to use the same image inside the script, add a copy of it under `attachments/`.
`allowedDomains` is optional; when provided it limits script `fetch` calls to the listed hostnames (up to 32 entries, ports allowed). Relative and same-origin requests remain permitted.
### Build and run
To run the application: