From a0f6362c1b72a3fd6692fd612739df9bf8d89467 Mon Sep 17 00:00:00 2001
From: Hikari <hikari@nhcarrigan.com>
Date: Fri, 20 Feb 2026 01:04:15 -0800
Subject: [PATCH] fix: prevent service worker from caching external resources

The service worker was causing issues by trying to cache external resources:
- CDN images (cdn.nhcarrigan.com)
- Analytics scripts
- External fonts
- Ad scripts

This violated CSP policies and caused 429 rate limit errors.

Fixes:
- Only cache same-origin images
- Only cache same-origin static assets (JS/CSS/fonts)
- External resources bypass the service worker entirely
- Added origin checks before caching
- Added response.ok checks before caching

This prevents CSP violations and eliminates the freezing/429 errors.
---
 apps/frontend/src/service-worker.js | 34 ++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/apps/frontend/src/service-worker.js b/apps/frontend/src/service-worker.js
index 3ea146a..7365e01 100644
--- a/apps/frontend/src/service-worker.js
+++ b/apps/frontend/src/service-worker.js
@@ -92,18 +92,25 @@ self.addEventListener('fetch', (event) => {
     return;
   }
 
-  // Images - Cache first, network fallback
+  // Images - Cache first, network fallback (only for same-origin)
   if (request.destination === 'image' || url.pathname.match(/\.(jpg|jpeg|png|gif|webp|svg)$/)) {
+    // Don't cache external images
+    if (url.origin !== self.location.origin) {
+      return;
+    }
+
     event.respondWith(
       caches.match(request).then((cachedResponse) => {
         if (cachedResponse) {
           return cachedResponse;
         }
         return fetch(request).then((response) => {
-          const responseClone = response.clone();
-          caches.open(IMAGE_CACHE).then((cache) => {
-            cache.put(request, responseClone);
-          });
+          if (response.ok) {
+            const responseClone = response.clone();
+            caches.open(IMAGE_CACHE).then((cache) => {
+              cache.put(request, responseClone);
+            });
+          }
           return response;
         });
       })
@@ -111,18 +118,25 @@ self.addEventListener('fetch', (event) => {
     return;
   }
 
-  // Static assets - Cache first, network fallback
+  // Static assets - Cache first, network fallback (only for same-origin)
   if (url.pathname.match(/\.(js|css|woff|woff2|ttf|eot)$/)) {
+    // Don't cache external scripts/styles (CDN resources, analytics, etc.)
+    if (url.origin !== self.location.origin) {
+      return;
+    }
+
     event.respondWith(
       caches.match(request).then((cachedResponse) => {
         if (cachedResponse) {
           return cachedResponse;
         }
         return fetch(request).then((response) => {
-          const responseClone = response.clone();
-          caches.open(STATIC_CACHE).then((cache) => {
-            cache.put(request, responseClone);
-          });
+          if (response.ok) {
+            const responseClone = response.clone();
+            caches.open(STATIC_CACHE).then((cache) => {
+              cache.put(request, responseClone);
+            });
+          }
           return response;
         });
       })