till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-19 00:21:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

fix(csp): allow HF XET CDN (cas-bridge.xethub.hf.co) for transformers.js

Browse source 
After the WebLLM → transformers.js migration, the first attempt to load
Gemma 4 E2B in /llm-test was blocked by CSP at the *weight shard*
download step (tokenizer.json got through fine — it lives on
huggingface.co directly). HF has rolled out a new XET-backed CDN for
large model files at cas-bridge.xethub.hf.co, served from
*.xethub.hf.co (the parent zone is hf.co, NOT huggingface.co — so our
existing wildcard `*.huggingface.co` did not cover it).

Open the broader hf.co wildcard (`https://*.hf.co`) so future XET host
rotations don't bite us, plus the explicit cas-bridge.xethub.hf.co
entry for older CSP-strict browsers that want narrower matches first.
The legacy huggingface.co + cdn-lfs.huggingface.co entries stay in place
for repo metadata and any model still on the old LFS path.

Update the comment block above the CSP additions to reflect that the
package now uses transformers.js + ONNX shards rather than the old
WebLLM/MLC path, including a quick map of which HF domain serves what.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Till JS 2026-04-08 22:51:50 +02:00
parent 63a91e36a2
commit 0af9094096
1 changed files with 12 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

15
apps/mana/apps/web/src/hooks.server.ts
View file

@ -112,13 +112,22 @@ window.__PUBLIC_GLITCHTIP_DSN__ = ${JSON.stringify(PUBLIC_GLITCHTIP_DSN)};
PUBLIC_MANA_EVENTS_URL_CLIENT,
PUBLIC_MANA_API_URL_CLIENT,
'wss://sync.mana.how',
// @mana/local-llm (WebLLM) downloads model weights + config from
// the mlc-ai HuggingFace repos and the WebGPU model library WASM
// from the binary-mlc-llm-libs GitHub raw host.
// @mana/local-llm (transformers.js) pulls model config + ONNX
// shards from the HuggingFace ecosystem. HF currently uses three
// distinct CDN domains depending on file type and rollout state:
// - huggingface.co → repo metadata + small files
// - *.huggingface.co → cdn-lfs-* hosts for legacy LFS
// - *.hf.co → the new XET-backed CDN
// (cas-bridge.xethub.hf.co etc.)
// We allow the broad wildcards because HF rotates the exact host
// names and a new path lands on a different bucket every few
// months. Adding the narrow ones too keeps older clients happy.
'https://huggingface.co',
'https://*.huggingface.co',
'https://cdn-lfs.huggingface.co',
'https://cdn-lfs-us-1.huggingface.co',
'https://*.hf.co',
'https://cas-bridge.xethub.hf.co',
'https://raw.githubusercontent.com',
// Allow all localhost ports in development
...(isDev ? ['http://localhost:*', 'ws://localhost:*'] : []),