From 9efbdedab8b027ad88656295d549bdd0c7c2e7a8 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Mon, 26 Jan 2026 19:16:08 +0100
Subject: [PATCH] Fix: Disable helmet cross-origin headers causing blank page
 on HTTP access via IP (#1026)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: thomasnordquist <7721625+thomasnordquist@users.noreply.github.com>
---
 src/server.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/server.ts b/src/server.ts
index bcc4657..e245dcb 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -92,6 +92,12 @@ async function startServer() {
             preload: true,
           }
         : false,
+      // Disable cross-origin policies that cause blank pages when accessing via IP vs localhost
+      // These headers can block resources and cause rendering issues on HTTP-only deployments
+      crossOriginEmbedderPolicy: false, // Can block resources without proper CORP headers
+      crossOriginOpenerPolicy: false, // Can cause blank pages and window isolation issues
+      crossOriginResourcePolicy: false, // Can block cross-origin resource loading
+      originAgentCluster: false, // Causes issues when switching between localhost and IP address origins
     })
   )