This commit brings back all headers previously defined in port443.conf.
The current setup has been missing them since the `add_header` directive
was added to the individual `location` blocks (for CSP). The nginx
manual states:
> These directives are inherited from the previous configuration level
> if and only if there are no add_header directives defined on the
> current level
http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
None of the headers are important enough that they would have to be
added to all possible `location` blocks. Adding them to the root block
for each site will be sufficient.
Every variable is unwrapped at runtime and only accounted for in some
commands, which does not include ssl_certificate. Anyone who complains
about this is made fun of. Assholes.
This commit introduces a Strict-Transport-Security header that requires TLS
for the entire sr.ht domain. It expires after 1 year.
SourceHut can be preloaded by submitting `sr.ht' on https://hstspreload.org
once this header has been applied to the root domain.
Issue: https://todo.sr.ht/~sircmpwn/sr.ht/175
This commit adds a CSP policy to all sr.ht domains.
Every domain has the following permissions:
- Pages can load CSS files hosted on the same domain.
- Pages can use inline CSS (style attributes).
- Pages can load images hosted on the same domain.
- Pages can load images 'hosted' using the data: URI.
- Pages can load JavaScript files hosted on the same domain.
Domains that host user-generated markdown (git, hg, todo, man, and paste),
have the following additional permissions:
- Pages can load images hosted anywhere on the Internet.
All other content and/or sources are blocked, including:
- Audio or video displayed via the <audio> and <video> tags.
- Plugin-based content embedded via the <object>, <embed>, and <applet> tags.
- Network traffic such as XMLHttpRequest, WebRTC, and WebSocket.
- Third-party fonts displayed via @font-face.
- Pages displayed inside the <frame> and <iframe> tags.
Issue: https://todo.sr.ht/~sircmpwn/sr.ht/93