This commit brings back all headers previously defined in port443.conf.
The current setup has been missing them since the `add_header` directive
was added to the individual `location` blocks (for CSP). The nginx
manual states:
> These directives are inherited from the previous configuration level
> if and only if there are no add_header directives defined on the
> current level
http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
None of the headers are important enough that they would have to be
added to all possible `location` blocks. Adding them to the root block
for each site will be sufficient.
Every variable is unwrapped at runtime and only accounted for in some
commands, which does not include ssl_certificate. Anyone who complains
about this is made fun of. Assholes.
The hub can render Markdown files which can link to images. In the
absence of an image proxy, this commit changes `img-src' to `*' for
the hub, which makes it mirror other services, such as git.sr.ht.
This commit introduces a Strict-Transport-Security header that requires TLS
for the entire sr.ht domain. It expires after 1 year.
SourceHut can be preloaded by submitting `sr.ht' on https://hstspreload.org
once this header has been applied to the root domain.
Issue: https://todo.sr.ht/~sircmpwn/sr.ht/175
This commit adds a CSP policy to all sr.ht domains.
Every domain has the following permissions:
- Pages can load CSS files hosted on the same domain.
- Pages can use inline CSS (style attributes).
- Pages can load images hosted on the same domain.
- Pages can load images 'hosted' using the data: URI.
- Pages can load JavaScript files hosted on the same domain.
Domains that host user-generated markdown (git, hg, todo, man, and paste),
have the following additional permissions:
- Pages can load images hosted anywhere on the Internet.
All other content and/or sources are blocked, including:
- Audio or video displayed via the <audio> and <video> tags.
- Plugin-based content embedded via the <object>, <embed>, and <applet> tags.
- Network traffic such as XMLHttpRequest, WebRTC, and WebSocket.
- Third-party fonts displayed via @font-face.
- Pages displayed inside the <frame> and <iframe> tags.
Issue: https://todo.sr.ht/~sircmpwn/sr.ht/93
Drew DeVault