fix(privacy): generate invite QR locally instead of api.qrserver.com (H5)

The Share Room QR was fetched from the third-party api.qrserver.com, leaking
which rooms a user shares (and failing offline / under strict CSP). Now rendered
locally via qrcode.react (QRCodeSVG) — no network request, works offline. Added a
white quiet-zone container so the code scans on any theme; dropped the qrError
fallback (local generation can't fail the same way). Removed api.qrserver.com
from the prod CSP img-src (matrix repo). Build verified (rolldown interop OK).
Verification steps added to LOTUS_TESTING.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 22:19:22 -04:00
parent dcd8201e16
commit a899d7d3a8
4 changed files with 28 additions and 32 deletions
+1
View File
@@ -82,6 +82,7 @@
"millify": "6.1.0",
"pdfjs-dist": "5.7.284",
"prismjs": "1.30.0",
"qrcode.react": "4.2.0",
"react": "19.2.6",
"react-aria": "3.48.0",
"react-blurhash": "0.3.0",