Skip to content

fix(webapp): add clawdi.ai to embed allowlist and fix domain validation#36

Closed
kingsleydon wants to merge 1 commit intomainfrom
feat/cloud-api-schema-compat
Closed

fix(webapp): add clawdi.ai to embed allowlist and fix domain validation#36
kingsleydon wants to merge 1 commit intomainfrom
feat/cloud-api-schema-compat

Conversation

@kingsleydon
Copy link
Copy Markdown
Collaborator

@kingsleydon kingsleydon commented Mar 24, 2026

Summary

  • Add *.clawdi.ai to embed page allowed domains (middleware, CSP headers, next.config)
  • Fix domain validation bypass: replace string.includes() with new URL() hostname parsing + endsWith() suffix matching, preventing spoofed domains like evil-phala.com from bypassing the check

Test plan

  • Verify embed page loads in iframe from *.phala.com, *.phala.network, *.clawdi.ai
  • Verify embed page returns 403 from unauthorized domains
  • Verify evil-phala.com or phala.com.evil.com are correctly rejected

🤖 Generated with Claude Code

@kingsleydon @claude
fix(webapp): add clawdi.ai to embed allowlist and fix domain validati…
9585454 
…on bypass

Use URL parsing with hostname suffix matching instead of string includes()
to prevent domain spoofing (e.g. evil-phala.com bypassing the check).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 24, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
trust-center Building Building Preview, Comment Mar 24, 2026 7:48am

Request Review

@kingsleydon kingsleydon deleted the feat/cloud-api-schema-compat branch March 24, 2026 07:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kingsleydon