Merge pull request 'more permissions-policy' (#43) from develop into master
Some checks failed
Lint / pnpm_install (push) Successful in 1m36s
Publish Docker image / Build (push) Successful in 4m30s
Test (production install and build) / production (22.11.0) (push) Successful in 1m6s
Test (backend) / unit (22.11.0) (push) Failing after 7m25s
Lint / lint (backend) (push) Successful in 2m22s
Lint / lint (frontend-embed) (push) Successful in 2m9s
Lint / lint (frontend) (push) Successful in 2m40s
Lint / lint (frontend-shared) (push) Successful in 2m24s
Lint / lint (misskey-js) (push) Successful in 2m14s
Lint / lint (misskey-bubble-game) (push) Successful in 2m40s
Lint / lint (misskey-reversi) (push) Successful in 2m33s
Lint / typecheck (backend) (push) Successful in 2m25s
Lint / typecheck (misskey-js) (push) Successful in 1m29s
Lint / lint (sw) (push) Successful in 3m7s
Lint / typecheck (sw) (push) Successful in 2m1s
Some checks failed
Lint / pnpm_install (push) Successful in 1m36s
Publish Docker image / Build (push) Successful in 4m30s
Test (production install and build) / production (22.11.0) (push) Successful in 1m6s
Test (backend) / unit (22.11.0) (push) Failing after 7m25s
Lint / lint (backend) (push) Successful in 2m22s
Lint / lint (frontend-embed) (push) Successful in 2m9s
Lint / lint (frontend) (push) Successful in 2m40s
Lint / lint (frontend-shared) (push) Successful in 2m24s
Lint / lint (misskey-js) (push) Successful in 2m14s
Lint / lint (misskey-bubble-game) (push) Successful in 2m40s
Lint / lint (misskey-reversi) (push) Successful in 2m33s
Lint / typecheck (backend) (push) Successful in 2m25s
Lint / typecheck (misskey-js) (push) Successful in 1m29s
Lint / lint (sw) (push) Successful in 3m7s
Lint / typecheck (sw) (push) Successful in 2m1s
Reviewed-on: #43
This commit is contained in:
commit
b3915f6cec
3 changed files with 12 additions and 12 deletions
|
|
@ -278,7 +278,17 @@ export class ServerService implements OnApplicationShutdown {
|
|||
// Other Security/Privacy Headers
|
||||
fastify.addHook('onRequest', (_, reply, done) => {
|
||||
reply.header('x-content-type-options', 'nosniff');
|
||||
reply.header('permissions-policy', 'interest-cohort=()'); // Disable FLoC
|
||||
reply.header('permissions-policy',
|
||||
[
|
||||
'interest-cohort',
|
||||
'encrypted-media',
|
||||
'attribution-reporting',
|
||||
'geolocation', 'microphone', 'camera',
|
||||
'midi', 'payment', 'usb', 'serial',
|
||||
'xr-spatial-tracking'
|
||||
]
|
||||
.map(feature => `${feature}=()`).join(', '));
|
||||
|
||||
if (this.config.browserSandboxing.strictOriginReferrer) {
|
||||
reply.header('referrer-policy', 'strict-origin');
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@ export const commonPugFilters = {
|
|||
throw new Error('Invalid mimeType');
|
||||
}
|
||||
const dataURI = `data:${options.mimeType};base64,${Buffer.from(data).toString('base64')}`;
|
||||
return `<${options.tagName} data="${dataURI}"></${options.tagName}>`;
|
||||
return `<${options.tagName} src="${dataURI}"></${options.tagName}>`;
|
||||
}
|
||||
} as const;
|
||||
|
|
|
|||
|
|
@ -248,16 +248,6 @@ export class ClientServerService {
|
|||
fastify.addHook('onRequest', makeHstsHook(host, preload));
|
||||
}
|
||||
|
||||
// Other Security/Privacy Headers
|
||||
fastify.addHook('onRequest', (_, reply, done) => {
|
||||
reply.header('x-content-type-options', 'nosniff');
|
||||
reply.header('permissions-policy', 'interest-cohort=()'); // Disable FLoC
|
||||
if (this.config.browserSandboxing.strictOriginReferrer ?? true) {
|
||||
reply.header('referrer-policy', 'strict-origin');
|
||||
}
|
||||
done();
|
||||
});
|
||||
|
||||
// CSP
|
||||
if (process.env.NODE_ENV === 'production') {
|
||||
console.debug('cspPrerenderedContent', this.config.cspPrerenderedContent);
|
||||
|
|
|
|||
Loading…
Reference in a new issue