fix: server-side payload cap + cleaner image abort
Addresses Copilot review on PR #9: - /api/vision: add MAX_ANNOTATED_BYTES (3 MB) cap on annotatedImageBase64, plus an explicit type/non-empty check. Browser annotator resizes to 768 wide (typically 200-800 KB base64), so 3 MB rejects abusive direct-API payloads that would otherwise inflate upstream vision LLM costs. - annotateClient: replace `img.src = ""` on timeout with removeAttribute to avoid the legacy browser behavior of treating empty src as a navigation to the current document URL. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -59,7 +59,9 @@ function loadImage(
|
||||
return new Promise((resolve, reject) => {
|
||||
const img = new Image();
|
||||
const timer = setTimeout(() => {
|
||||
img.src = "";
|
||||
// removeAttribute, not `src = ""` — setting empty string can trigger
|
||||
// a navigation to the current document URL in some browsers.
|
||||
img.removeAttribute("src");
|
||||
reject(new Error(`Image load timed out after ${timeoutMs}ms`));
|
||||
}, timeoutMs);
|
||||
img.crossOrigin = "anonymous";
|
||||
|
||||
Reference in New Issue
Block a user