From c4354782a80805b0034e97895fc9eed9bf40b72e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Kr=C3=BChlmann?= <andreas@kruhlmann.dev>
Date: Fri, 9 Jan 2026 15:10:23 +0100
Subject: [PATCH] Remove external apis

---
 .../static/js/broadcast/script-worker.js      | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/src/main/resources/static/js/broadcast/script-worker.js b/src/main/resources/static/js/broadcast/script-worker.js
index c22ef28..f2c2823 100644
--- a/src/main/resources/static/js/broadcast/script-worker.js
+++ b/src/main/resources/static/js/broadcast/script-worker.js
@@ -8,6 +8,41 @@ let startTime = 0;
 const tickIntervalMs = 1000 / 60;
 const errorKeys = new Set();
 
+function disableNetworkApis() {
+    const blockedApis = {
+        fetch: () => {
+            throw new Error("Network access is disabled in asset scripts.");
+        },
+        XMLHttpRequest: undefined,
+        WebSocket: undefined,
+        EventSource: undefined,
+        importScripts: () => {
+            throw new Error("Network access is disabled in asset scripts.");
+        },
+    };
+
+    Object.entries(blockedApis).forEach(([key, value]) => {
+        if (!(key in self)) {
+            return;
+        }
+        try {
+            Object.defineProperty(self, key, {
+                value,
+                writable: false,
+                configurable: false,
+            });
+        } catch (error) {
+            try {
+                self[key] = value;
+            } catch (_error) {
+                // ignore if the API cannot be overridden in this environment
+            }
+        }
+    });
+}
+
+disableNetworkApis();
+
 function reportScriptError(id, stage, error) {
     if (!id) {
         return;