PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-25 16:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: track vendor JS files, add 'unsafe-inline' to public CSP, gitignore filepond tmp

Browse Source 
- Track vendor JS files (filepond, htmx, overtype) that were moved
  to app/public/assets/js/vendor/ but never tracked → missing from deploys
- Add script-src 'self' 'unsafe-inline' to main CSP header so public
  pages (jury fieldset, repertoire, partage) can use inline scripts
  and onclick handlers
- Add storage/tmp/filepond/* to .gitignore with .gitkeep, and exclude
  from deploy rsync to avoid syncing local test uploads to production
This commit is contained in:
Pontoporeia
2026-05-12 10:35:58 +02:00
parent 2e9ebfc684
commit 1ff3c70ebe
5 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nginx/xamxam.conf
View File

@@ -37,7 +37,7 @@ server {
# Security headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;