Add iframe fetch proxy allowlist for ProcessGit viewer

[rg4444]

Motivation

• Fix CORS failures when the viewer runs inside an iframe.srcdoc by proxying fetches through the parent page.
• Tighten security of the fetch proxy to avoid accidentally allowing cross-origin requests or arbitrary paths.

Description

• Updated the parent message handler in web_src/js/features/processgitviewer/index.ts to use stricter typing and accept PGV_FETCH requests.
• Added a hard allow-list that requires same-origin URLs and restricts paths to match /raw/ or /src/, and surface HTTP error codes when fetch responses are not OK.
• Preserve the PGV_FETCH_RESULT response shape (including reqId when present) and return ok: false plus an error string on failures.

Testing

• No automated tests were run for this change.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 46422823ac

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Allow-list blocks ProcessGit viewer API fetches

The new allow-list only permits paths containing /raw/ or /src/. The ProcessGit viewer payload includes an apiUrl that points to /api/processgitviewer (see routers/web/repo/view_file.go), and embedded viewer code can legitimately use PGV_FETCH to read through that API when running in the srcdoc iframe. With this change, any such request will now hit the path blocked error, breaking viewers that depend on the API. If the intent is to keep /api/processgitviewer available, the allow-list should include that path too.

Useful? React with 👍 / 👎.