* security fix
* more security fixes
* fixes
* pr feedback
* Restore remote URL loading in native-shell-ios and native-shell-android
Remove bundled-asset-only loading and SHA-256 integrity checks from both
native shell packages. WebViews now load directly from the remote URL
(default: https://self-app-alpha.vercel.app) over HTTPS, matching the
pattern already implemented in kmp-sdk and self-sdk-swift.
Also fixes ObjC selector mismatch in self-sdk-swift WebViewProviderImpl
for configureRemoteLoading.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Restore remote URL loading in kmp-sdk and self-sdk-swift
Remove bundled-asset-only loading from kmp-sdk AndroidWebViewHost and
self-sdk-swift WebViewProviderImpl. Both now load directly from the
remote URL (default: https://self-app-alpha.vercel.app) over HTTPS.
Adds remoteWebAppBaseUrl to SelfSdkConfig and pipes it through
IosWebViewHost via the new configureRemoteLoading protocol method.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* coderabbit comments
* lint
* coderabbit comments
---------
Co-authored-by: seshanthS <seshanth@protonmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Add remote webview integrity checks
* fixes
* feedback
* update tests; fix pipelines
* fix ci
* feat(webview): add subresource integrity (SRI) to build output
The SHA-256 remote integrity check only covers the entry HTML document.
Sub-resources (JS, CSS) loaded by that HTML were fetched without
integrity verification, allowing a compromised CDN to swap bundles.
Add a custom Vite plugin that injects SRI sha384 hashes into all
script and link tags in the built index.html. The browser natively
enforces these hashes, blocking any tampered sub-resources.
Includes tests verifying integrity attributes are present and that
hashes match the actual file contents on disk.
---------
Co-authored-by: Tranquil-Flow <tranquil_flow@protonmail.com>
