Skip to content

v0.6.2 CDN/Xet CSP hotfix

Choose a tag to compare

@WilsonLe WilsonLe released this 29 Jun 17:13
cbcacd6

v0.6.2 CDN/Xet CSP hotfix

Patch release over v0.6.1 for production model downloads.

Changes

  • Allows the exact Hugging Face CDN/Xet redirect origin https://us.aws.cdn.hf.co in production connect-src alongside https://huggingface.co.
  • Preserves direct-route SPA fallback and existing security headers.
  • Preserves v0.6 task-first UI and all model/profile/storage/training/privacy schemas.
  • Keeps v0.6.0 and v0.6.1 release tags/assets immutable.

Verification required for publication

  • Required CI passes on the v0.6.2 release commit.
  • Production alias returns direct routes with connect-src 'self' https://huggingface.co https://us.aws.cdn.hf.co.
  • Browser smoke verifies the model install path under production CSP without broad wildcard origins.

Known limitations

  • Issue #255 remains open for moderated release-usability participant evidence.
  • ADR 0004 and ADR 0005 production accuracy/performance evidence limitations remain unresolved.