diff --git a/.gitignore b/.gitignore index 6466f45..2f3e00e 100644 --- a/.gitignore +++ b/.gitignore @@ -20,6 +20,8 @@ app/storage/banners/* !app/storage/banners/.gitkeep app/storage/tmp/* !app/storage/tmp/.gitkeep +app/storage/tmp/filepond/* +!app/storage/tmp/filepond/.gitkeep # Nix .direnv/ diff --git a/TODO.md b/TODO.md index 1694935..3c2ef2b 100644 --- a/TODO.md +++ b/TODO.md @@ -7,3 +7,10 @@ - [x] Step 5 — Update upload-progress.js (new collectFileNames, pending-uploads guard) - [ ] Step 6 — QA / integration testing - [ ] Step 7 — Cleanup: remove transition flags, remove INPUT_ID_TO_TYPE + +# CSP & Deploy Fixes (May 2026) + +- [x] Track vendor JS files in jj (they were moved to vendor/ but never `jj file track`ed) +- [x] Add `script-src 'self' 'unsafe-inline'` to main CSP header (public pages use inline scripts + onclick handlers) +- [x] Add `storage/tmp/filepond/*` to .gitignore + rsync exclude, with .gitkeep +- [ ] Deploy: `just deploy` to sync vendor JS files + updated CSP + .gitkeep to server diff --git a/app/templates/admin/acces.php b/app/templates/admin/acces.php index 6c1edeb..1a15453 100644 --- a/app/templates/admin/acces.php +++ b/app/templates/admin/acces.php @@ -1546,6 +1546,19 @@ +%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision) +\\\\\\\ to: uzsxkykq c23ac0f6 "filepond: fix audio/mp3 MIME, immediate PeerTube upload, handle nested queue $_FILES" (rebased revision) ++ $linkName = $link['name'] ?? ''; +++ $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : ''; +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: uzsxkykq c23ac0f6 "filepond: fix audio/mp3 MIME, immediate PeerTube upload, handle nested queue $_FILES" (rebased revision) +\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ to: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision) +- $linkName = $link['name'] ?? ''; +- $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : ''; +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: somsyvxz 14a3cd10 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebase destination) +\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ to: uktvpzsn c1c0a4b0 "fix: track vendor JS files, add 'unsafe-inline' to public CSP, gitignore filepond tmp" (rebased revision) + $linkName = $link['name'] ?? ''; + $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : ''; + $linkLockedYear = $link['locked_year'] ?? null; ++%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision) ++\\\\\\\ to: uktvpzsn ce8e9ac6 "fix: track vendor JS files, add 'unsafe-inline' to public CSP, gitignore filepond tmp" (rebased revision) +++ $linkName = $link['name'] ?? ''; ++ $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : ''; ?> diff --git a/justfile b/justfile index 95aa955..51e1d82 100644 --- a/justfile +++ b/justfile @@ -41,7 +41,7 @@ deploy: # Main deploy (code + assets) then run any pending DB migrations rsync -vur --progress --delete \ --chown="www-data:xamxam" \ - --exclude 'vendor' \ + --exclude '/vendor' \ --exclude 'tests' \ --exclude '*.md' \ --exclude '.git*' \ @@ -58,6 +58,7 @@ deploy: --exclude 'storage/maintenance.flag' \ --exclude 'storage/fixtures' \ --exclude 'storage/docs' \ + --exclude 'storage/tmp/filepond/*' \ --exclude 'var/' \ app/ xamxam:/var/www/xamxam/ # Deploy nginx config + fix permissions + reload (single server-side run) diff --git a/nginx/xamxam.conf b/nginx/xamxam.conf index 6aa2ce4..06324bc 100644 --- a/nginx/xamxam.conf +++ b/nginx/xamxam.conf @@ -37,7 +37,7 @@ server { # Security headers add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always; - add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;