Remove unpkg.com dependency and serve manifold assets locally

api/shapes.js

@@ -45,6 +45,8 @@ async function getManifold() {
   return manifoldInitPromise;
 }
 
+export { getManifold };
+
 export function setFlockReference(ref) {
   flock = ref;
 }

docs/CSP_POLICY.md

@@ -10,8 +10,8 @@ Content Security Policy (CSP) is defined in two places:
 Core flows tested (app load, Blockly interaction, run code in sandbox, project export/import trigger, analytics path) observed these runtime source origins:
 
 - **document / stylesheet / image / font / xhr**: `self` (`http://127.0.0.1:4173` in local smoke run)
-- **script**: `self`, `https://www.googletagmanager.com`, `https://unpkg.com`
-- **fetch / connect**: `self`, `https://www.google-analytics.com`, `https://unpkg.com`
+- **script**: `self`, `https://www.googletagmanager.com`
+- **fetch / connect**: `self`, `https://www.google-analytics.com`
 
 ## Why each non-self origin is required
 
@@ -23,9 +23,6 @@ Core flows tested (app load, Blockly interaction, run code in sandbox, project e
   - Optional Google Analytics transport endpoint used by some environments.
 - `https://region1.google-analytics.com`
   - Regional Google Analytics endpoint used by some environments.
-- `https://unpkg.com`
-  - Used by `manifold-3d` runtime assets (`manifold.js` / `manifold.wasm`) in browser execution.
-
 ## Current CSP
 
 Header policy (authoritative):
@@ -35,11 +32,11 @@ default-src 'self';
 base-uri 'self';
 form-action 'self';
 object-src 'none';
-script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://www.googletagmanager.com https://unpkg.com;
+script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://www.googletagmanager.com;
 style-src 'self' 'unsafe-inline';
 img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com;
 font-src 'self' data:;
-connect-src 'self' https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net https://unpkg.com;
+connect-src 'self' https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net;
 media-src 'self' data: blob:;
 worker-src 'self' blob:;
 frame-src 'self';

flock.js

@@ -47,7 +47,7 @@ import {
         setFlockReference as setFlockMovement,
 } from "./api/movement";
 import { flockModels, setFlockReference as setFlockModels } from "./api/models";
-import { flockShapes, setFlockReference as setFlockShapes } from "./api/shapes";
+import { flockShapes, setFlockReference as setFlockShapes, getManifold } from "./api/shapes";
 import {
         flockTransform,
         setFlockReference as setFlockTransform,
@@ -1258,7 +1258,15 @@ export const flock = {
                 flock.abortController = new AbortController();
 
                 try {
-                        await flock.BABYLON.InitializeCSG2Async();
+                        // Pre-load the manifold-3d wasm module (which already redirects
+                        // its WASM fetch to the locally-served /wasm/manifold.wasm via
+                        // locateFile) and inject it into BabylonJS so InitializeCSG2Async
+                        // never fetches from unpkg.com.
+                        const manifoldWasm = await getManifold();
+                        await flock.BABYLON.InitializeCSG2Async({
+                                manifoldInstance: manifoldWasm.Manifold,
+                                manifoldMeshInstance: manifoldWasm.Mesh,
+                        });
                 } catch (error) {
                         console.error("Error initializing CSG2:", error);
                 }

index.html

@@ -4,7 +4,7 @@
     <meta charset="UTF-8" />
     <meta
       http-equiv="Content-Security-Policy"
-      content="default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://www.googletagmanager.com https://unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' data:; connect-src 'self' https: https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net https://unpkg.com; media-src 'self' data: blob:; worker-src 'self' blob:; frame-src 'self'; manifest-src 'self'"
+      content="default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' data:; connect-src 'self' https: https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net; media-src 'self' data: blob:; worker-src 'self' blob:; frame-src 'self'; manifest-src 'self'"
     />
     <title>Flock XR - Creative coding in 3D</title>
     <meta name="description" content="Flock XR: The free 3D coding and creation tool for young people.">

vite.config.mjs

@@ -10,7 +10,7 @@ const isProduction = process.env.NODE_ENV === 'production';
 const BASE_URL = process.env.VITE_BASE_URL || '/';
 
 // `frame-ancestors` is only enforced from HTTP headers (ignored in CSP meta tags).
-const CSP_META_POLICY = "default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://www.googletagmanager.com https://unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' data:; connect-src 'self' https: https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net https://unpkg.com; media-src 'self' data: blob:; worker-src 'self' blob:; frame-src 'self'; manifest-src 'self'";
+const CSP_META_POLICY = "default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' data:; connect-src 'self' https: https://www.googletagmanager.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net; media-src 'self' data: blob:; worker-src 'self' blob:; frame-src 'self'; manifest-src 'self'";
 const CSP_HEADER_POLICY = `${CSP_META_POLICY}; frame-ancestors 'self'`;
 
 export default {