@dasl/tile-server
v2.1.0
Published
Minimal Express server that isolates DASL tiles in their own origin for browser loading
Readme
@dasl/tile-server
The minimal server that makes browser tile loading safe.
Isolating untrusted DASL tiles in the browser needs two things
a normal static host doesn't give you: a fresh origin per tile, and a service
worker allowed to control that origin. This package is a tiny Express router (and a
CLI) that does exactly that — it serves the loader runtime (the
shuttle and worker from @dasl/tile-loader) under a hardened set
of headers, and redirects each load onto its own random subdomain.
It never sees or stores tile content; it only serves the fixed runtime assets.
Install
npm install @dasl/tile-serverAs a library
createTileLoadingRouter(baseHost) returns an Express router. Give it your base
host; it listens on load.<baseHost> and redirects each request to a random
<subdomain>.<baseHost>:
import express from 'express';
import { createTileLoadingRouter } from '@dasl/tile-server';
const app = express();
app.set('trust proxy', 'loopback'); // needed so req.hostname is right behind a proxy
app.use(createTileLoadingRouter('example.site'));
app.listen(1503);You are responsible for pointing load.example.site and *.example.site at this
app (wildcard DNS + TLS), and for setting loadDomain: 'load.example.site' on the
mothership.
As a CLI
# installed globally, or via npx
tiles-loading-server example.site 8080Starts an Express app on the given port (default 1503) serving the router for the
given base host.
What it enforces
- Per-tile origin isolation — a request to
load.<host>gets a303redirect to a fresh 20-character random subdomain, so every tile loads on its own origin, cross-origin from your site and from every other tile. - A strict Content-Security-Policy on the runtime assets. Notably
default-srcis limited to'self' blob: data:with noconnect-src, so a tile'sfetch/XHR/WebSocketcan't reach arbitrary origins (no data exfiltration);sandboxgrants scripts/forms/popups but not top-navigation or other host-hijacking capabilities;object-src,base-uri, andscript-src-attrare'none'. - Cross-origin isolation & hardening headers —
Cross-Origin-Opener-Policy: same-origin,Cross-Origin-Resource-Policy: cross-origin,Origin-Agent-Cluster: ?1,X-Content-Type-Options: nosniff,Referrer-Policy: no-referrer, interest-cohort/browsing-topics disabled, andService-Worker-Allowed: /so the loader's worker can control the origin.
Everything is served under /.well-known/web-tiles/.
Part of DASL tiles
@dasl/tiles— meta-package re-exporting the whole toolkit@dasl/tile-loader— load tiles in the browser@dasl/tile-writer— write tiles into.tilefiles@dasl/tile-car-reader— read tiles from a CAR file@dasl/tile-lexicon— MASL schema and shared types@dasl/atile— the tile-publishing CLI
License
Apache-2.0
