Problem
The Partytown recipe includes a /reverse-proxy route that mirrors upstream response headers from allowlisted domains. If an allowlisted host returns active document content, the storefront can serve that content as same-origin through the recipe route.
This recipe is production guidance, so the proxy should fail closed for unsafe response types.
Expected behaviour
- Reject proxied document-style responses instead of forwarding them.
- Keep the route usable for the third-party script responses the recipe is intended to proxy.
- Add defensive response headers for proxied content.
- Regenerate the Partytown recipe docs after changing the ingredient source.
Problem
The Partytown recipe includes a
/reverse-proxyroute that mirrors upstream response headers from allowlisted domains. If an allowlisted host returns active document content, the storefront can serve that content as same-origin through the recipe route.This recipe is production guidance, so the proxy should fail closed for unsafe response types.
Expected behaviour