-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathindex.html
More file actions
104 lines (104 loc) · 4.65 KB
/
Copy pathindex.html
File metadata and controls
104 lines (104 loc) · 4.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
<!DOCTYPE html>
<html lang="en" class="dark">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>My App</title>
<script>
// Canonical mithril.money host for this app. Injected by the publish
// pipeline so the redirect below knows exactly where to send
// pages.dev visitors. If the placeholder survives (dev / sandbox /
// incomplete deploy), the redirect no-ops.
window.__MITHRIL_CUSTOM_DOMAIN__ = "{{MITHRIL_CUSTOM_DOMAIN_PLACEHOLDER}}";
</script>
<script>
// Redirect pages.dev -> canonical mithril.money before any JS / React
// boots. The app's mt_app_* key has allowed_origins =
// [https://{canonical}.mithril.money] ONLY; a user visiting the raw
// CF Pages infrastructure URL (e.g. {slug}-{hash}.pages.dev) would
// otherwise hit ORIGIN_NOT_ALLOWED on session mint.
//
// The canonical target is injected by the server (see above), NOT
// reconstructed from the hostname - CF Pages auto-suffixes the
// subdomain for non-unique project names so "untitled.pages.dev"
// becomes "untitled-8cr.pages.dev" and a regex rewrite would point
// to a dead host.
(function(){
try {
var host = (window.location && window.location.hostname) || "";
if (host.slice(-10) !== ".pages.dev") return; // fast-exit on non-Pages host
// CODEX PUBLISHING-P3-1: only the canonical "{project}.pages.dev"
// (3 dot-labels) redirects; multi-dot branch/deployment previews
// (4+ labels) are intentionally NOT redirected (CLAUDE.md #16).
if (host.split(".").length !== 3) return;
var target = window.__MITHRIL_CUSTOM_DOMAIN__;
// Validate the injected domain: must be an FQDN, must not still
// be the unreplaced placeholder literal. If malformed, fail
// silent (user stays on pages.dev and sees the "Failed to
// create session" message from ConnectExchange, which is the
// pre-fix behavior).
if (typeof target !== "string") return;
if (target.indexOf("{{") !== -1) return;
if (target.indexOf(".") === -1) return;
if (target === host) return; // already on canonical
var url = "https://" + target
+ (window.location.pathname || "/")
+ (window.location.search || "")
+ (window.location.hash || "");
window.location.replace(url);
} catch (e) { /* noop: old browsers, sandbox iframe, etc. */ }
})();
</script>
<script>
// Mithril app key. Injected by the publish pipeline. Public-safe:
// domain-locked, rate-limited, revocable. See docs/APP_KEYS_STRATEGY.md.
window.__MITHRIL_APP_KEY__ = "{{MITHRIL_APP_KEY_PLACEHOLDER}}";
</script>
<script>
// Error reporter: sends runtime errors to parent (Mithril Builder) via postMessage.
// Redacts session / magic-link tokens and app keys before forwarding so
// nothing ever ends up in the parent frame's console or network stream.
(function(){
var REDACT = [
/ses_[A-Za-z0-9_]{8,}/g,
/mlk_[A-Za-z0-9_]{8,}/g,
/mt_app_[A-Za-z0-9_]{8,}/g,
/mt_live_[A-Za-z0-9_]{8,}/g,
];
function scrub(s){
var out = String(s);
for (var i=0;i<REDACT.length;i++) out = out.replace(REDACT[i], "[REDACTED]");
return out;
}
function safeStringify(arg){
try {
return typeof arg === "object" ? JSON.stringify(arg) : String(arg);
} catch (e) {
return "[unserializable]";
}
}
function report(msg){
try { window.parent.postMessage({type:"error",message:scrub(msg).slice(0,500)}, "*"); } catch(e){}
}
window.onerror = function(msg, src, line, col, err){
report((err&&err.stack) || msg + " at " + src + ":" + line + ":" + col);
};
window.addEventListener("unhandledrejection", function(e){
var msg = e.reason && (e.reason.stack || e.reason.message) || String(e.reason);
report("Unhandled promise rejection: " + msg);
});
var origErr = console.error;
console.error = function(){
origErr.apply(console, arguments);
var parts = [];
for(var i=0;i<arguments.length;i++) parts.push(safeStringify(arguments[i]));
report("console.error: " + parts.join(" "));
};
})();
</script>
</head>
<body class="min-h-screen bg-background text-foreground antialiased">
<div id="root"></div>
<script type="module" src="/src/main.tsx"></script>
</body>
</html>