From d4cebca27439d2ed3fb145bec7b77a36f295d6c6 Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Mon, 2 Dec 2024 09:27:52 +0530 Subject: [PATCH 1/5] Empty --- web/packages/shared/components/MessageContainer.tsx | 0 web/packages/shared/utils/index.ts | 0 2 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 web/packages/shared/components/MessageContainer.tsx delete mode 100644 web/packages/shared/utils/index.ts diff --git a/web/packages/shared/components/MessageContainer.tsx b/web/packages/shared/components/MessageContainer.tsx deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/web/packages/shared/utils/index.ts b/web/packages/shared/utils/index.ts deleted file mode 100644 index e69de29bb2..0000000000 From 7ddc8a65939d6f3ad6f35b35a94fea07a42c45e4 Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Mon, 2 Dec 2024 09:44:31 +0530 Subject: [PATCH 2/5] Remove unused file Last use was stopped in c2191515eef37cc0e54a10171132be600258f01c --- web/packages/shared/next/utils/headers.js | 42 ----------------------- 1 file changed, 42 deletions(-) delete mode 100644 web/packages/shared/next/utils/headers.js diff --git a/web/packages/shared/next/utils/headers.js b/web/packages/shared/next/utils/headers.js deleted file mode 100644 index 2c4536fe71..0000000000 --- a/web/packages/shared/next/utils/headers.js +++ /dev/null @@ -1,42 +0,0 @@ -module.exports = { - WEB_SECURITY_HEADERS: { - "Strict-Transport-Security": " max-age=63072000", - "X-Content-Type-Options": "nosniff", - "X-Download-Options": "noopen", - "X-Frame-Options": "deny", - "X-XSS-Protection": "1; mode=block", - "Referrer-Policy": "same-origin", - }, - - CSP_DIRECTIVES: { - // self is safe enough - "default-src": "'self'", - // data to allow two factor qr code - "img-src": "'self' blob: data: https://*.openstreetmap.org", - "media-src": "'self' blob:", - "manifest-src": "'self'", - "style-src": "'self' 'unsafe-inline'", - "font-src ": "'self'; script-src 'self' 'unsafe-eval' blob:", - "connect-src": - "'self' https://*.ente.io http://localhost:8080 data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com https://ente-prod-v3.s3.eu-central-2.wasabisys.com/ https://ente-staging-eu.s3.eu-central-003.backblazeb2.com/ ws://localhost:3000/", - "base-uri ": "'self'", - // to allow worker - "child-src": "'self' blob:", - "object-src": "'none'", - "frame-ancestors": " 'none'", - "form-action": "'none'", - "report-uri": " https://csp-reporter.ente.io/local", - "report-to": " https://csp-reporter.ente.io/local", - }, - - ALL_ROUTES: "/(.*)", - - buildCSPHeader: (directives) => ({ - "Content-Security-Policy-Report-Only": Object.entries( - directives, - ).reduce((acc, [key, value]) => acc + `${key} ${value};`, ""), - }), - - convertToNextHeaderFormat: (headers) => - Object.entries(headers).map(([key, value]) => ({ key, value })), -}; From 6d3f177d91f2856b332927e9ac87efb7f6915793 Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Mon, 2 Dec 2024 10:47:01 +0530 Subject: [PATCH 3/5] Allow map tiles to be loaded --- web/apps/photos/public/_headers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/apps/photos/public/_headers b/web/apps/photos/public/_headers index 363119f398..993d0adb3e 100644 --- a/web/apps/photos/public/_headers +++ b/web/apps/photos/public/_headers @@ -5,5 +5,5 @@ X-Download-Options: noopen X-Frame-Options: deny X-XSS-Protection: 1; mode=block - Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' blob: data:; media-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' https://assets.ente.io 'unsafe-eval' blob:; manifest-src 'self'; child-src 'self' blob:; object-src 'none'; connect-src 'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com https://ente-prod-v3.s3.eu-central-2.wasabisys.com/ ; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io; + Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' blob: data: https://*.openstreetmap.org"; media-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' https://assets.ente.io 'unsafe-eval' blob:; manifest-src 'self'; child-src 'self' blob:; object-src 'none'; connect-src 'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com https://ente-prod-v3.s3.eu-central-2.wasabisys.com/ ; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io; From 269b911cbf931b58fc65717a14bdfa99bf74d055 Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Mon, 2 Dec 2024 10:48:45 +0530 Subject: [PATCH 4/5] Prune things not related to auth --- web/apps/auth/public/_headers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/apps/auth/public/_headers b/web/apps/auth/public/_headers index 363119f398..41224370ba 100644 --- a/web/apps/auth/public/_headers +++ b/web/apps/auth/public/_headers @@ -5,5 +5,5 @@ X-Download-Options: noopen X-Frame-Options: deny X-XSS-Protection: 1; mode=block - Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' blob: data:; media-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' https://assets.ente.io 'unsafe-eval' blob:; manifest-src 'self'; child-src 'self' blob:; object-src 'none'; connect-src 'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com https://ente-prod-v3.s3.eu-central-2.wasabisys.com/ ; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io; + Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' blob: data:; media-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' 'unsafe-eval' blob:; manifest-src 'self'; child-src 'self' blob:; object-src 'none'; connect-src 'self' https://*.ente.io data: blob:; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io; From e664b7ac30531f7f15f982c42d2692f79fb4c301 Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Mon, 2 Dec 2024 11:56:24 +0530 Subject: [PATCH 5/5] sp --- web/apps/auth/public/_headers | 2 +- web/apps/photos/public/_headers | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/web/apps/auth/public/_headers b/web/apps/auth/public/_headers index 41224370ba..27d91b010a 100644 --- a/web/apps/auth/public/_headers +++ b/web/apps/auth/public/_headers @@ -1,6 +1,6 @@ /* Cache-Control: no-store, must-revalidate - Strict-Transport-Security: max-age=63072000 + Strict-Transport-Security: max-age=63072000 X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: deny diff --git a/web/apps/photos/public/_headers b/web/apps/photos/public/_headers index 993d0adb3e..5eee5f5954 100644 --- a/web/apps/photos/public/_headers +++ b/web/apps/photos/public/_headers @@ -1,9 +1,9 @@ /* Cache-Control: no-store, must-revalidate - Strict-Transport-Security: max-age=63072000 + Strict-Transport-Security: max-age=63072000 X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: deny X-XSS-Protection: 1; mode=block - Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' blob: data: https://*.openstreetmap.org"; media-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' https://assets.ente.io 'unsafe-eval' blob:; manifest-src 'self'; child-src 'self' blob:; object-src 'none'; connect-src 'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com https://ente-prod-v3.s3.eu-central-2.wasabisys.com/ ; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io; + Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' blob: data: https://*.openstreetmap.org"; media-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' https://assets.ente.io 'unsafe-eval' blob:; manifest-src 'self'; child-src 'self' blob:; object-src 'none'; connect-src 'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com https://ente-prod-v3.s3.eu-central-2.wasabisys.com; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io;