test: enhance SIZE_REPORTER_SCRIPT validation

- Use regex to ensure postMessage uses specific origin instead of substring check
- Avoid CodeQL false positive for incomplete URL substring sanitization

Author: MarkusNeusinger

tests/unit/api/test_proxy.py

@@ -4,6 +4,7 @@
 Tests URL validation, security checks, and HTML injection.
 """
 
+import re
 from unittest.mock import AsyncMock, patch
 
 import httpx
@@ -256,7 +257,13 @@ class TestSizeReporterScript:
     def test_script_uses_specific_origin(self):
         """Script should use specific origin, not wildcard."""
         assert "'*'" not in SIZE_REPORTER_SCRIPT
-        assert "https://pyplots.ai" in SIZE_REPORTER_SCRIPT
+        # Use regex to verify postMessage uses specific origin, not substring check
+        # This avoids CodeQL's "incomplete URL substring sanitization" false positive
+        # Pattern matches: }, 'https://pyplots.ai') - the end of the postMessage call
+        pattern = r"\},\s*'https://pyplots\.ai'\)"
+        assert re.search(pattern, SIZE_REPORTER_SCRIPT), (
+            "postMessage must use specific origin 'https://pyplots.ai', not '*'"
+        )
 
     def test_script_sends_pyplots_size_message(self):
         """Script should send pyplots-size message type."""