Fix viewer API routing under Content-Security-Policy.

Pass the viewer id via a body data attribute instead of a blocked inline script so personal links still load saved data after restart. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-19 16:33:59 +02:00
parent fdeaf04280
commit e79fe34643
2 changed files with 9 additions and 6 deletions
@@ -7,10 +7,9 @@
  <link rel="stylesheet" href="/static/style.css">
  <script src="/static/vendor/chart.umd.min.js" defer></script>
  <script src="/static/i18n.js" defer></script>
-  <script>window.VIEWER_ID = {{ viewer_id|tojson }};</script>
  <script src="/static/app.js" defer></script>
 </head>
-<body>
+<body data-viewer-id="{{ viewer_id }}">
  <div class="layout">
    <aside class="sidebar">
      <div class="brand">