Deploy: fix JS served as JSON envelope #54

Merged

will.anderson merged 2 commits from dev into stage

2026-05-10 22:35:02 +00:00

Author	SHA1	Message	Date
will.anderson	9da4d50883	Merge pull request 'Fix JS files served as JSON envelope (checkout/Stripe/auth all broken)' (#53 ) from fix/checkout-auth-reveal into dev Dev — Build & local smoke test / build-smoke (push) Failing after 2m4s Details Fix JS files served as JSON envelope (checkout/Stripe/auth all broken)	2026-05-10 22:34:32 +00:00
will.anderson	c99ca82302	Fix JS files served as raw JSON envelope instead of JavaScript Dev — Build & local smoke test / build-smoke (pull_request) Failing after 1m36s Details http_parse_envelope() called json_parse() on the entire response envelope (~47KB when body is obfuscated JS). The parser failed on large/complex content, so is_envelope=0 and the raw JSON was sent — browsers got {"el_http_response":1,...} instead of executable JavaScript, silently breaking all client-side code. Fix: replace json_parse-of-full-envelope with a direct field scanner: - "status" extracted via strtol - "headers" object extracted via brace-depth scan, then json_parse only that small substring (always safe — headers are simple k/v string pairs < 1KB) - "body" string extracted via jp_parse_string_raw — no intermediate allocation Also: /js/* route now returns http_response(200, js_headers_json(), content) with explicit Content-Type: application/javascript so the browser doesn't apply the json-heuristic (obfuscated JS starting with '[' was detected as JSON, which with X-Content-Type-Options: nosniff blocks script execution).	2026-05-10 17:32:45 -05:00

Author

SHA1

Message

Date

will.anderson

9da4d50883

Merge pull request 'Fix JS files served as JSON envelope (checkout/Stripe/auth all broken)' (#53 ) from fix/checkout-auth-reveal into dev

Dev — Build & local smoke test / build-smoke (push) Failing after 2m4s

Details

Fix JS files served as JSON envelope (checkout/Stripe/auth all broken)

2026-05-10 22:34:32 +00:00

will.anderson

c99ca82302

Fix JS files served as raw JSON envelope instead of JavaScript

Dev — Build & local smoke test / build-smoke (pull_request) Failing after 1m36s

Details

http_parse_envelope() called json_parse() on the entire response envelope
(~47KB when body is obfuscated JS). The parser failed on large/complex content,
so is_envelope=0 and the raw JSON was sent — browsers got {"el_http_response":1,...}
instead of executable JavaScript, silently breaking all client-side code.

Fix: replace json_parse-of-full-envelope with a direct field scanner:
- "status" extracted via strtol
- "headers" object extracted via brace-depth scan, then json_parse only that
  small substring (always safe — headers are simple k/v string pairs < 1KB)
- "body" string extracted via jp_parse_string_raw — no intermediate allocation

Also: /js/* route now returns http_response(200, js_headers_json(), content)
with explicit Content-Type: application/javascript so the browser doesn't
apply the json-heuristic (obfuscated JS starting with '[' was detected as JSON,
which with X-Content-Type-Options: nosniff blocks script execution).

2026-05-10 17:32:45 -05:00

Deploy: fix JS served as JSON envelope #54

2 Commits