PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 11:09:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: admin CSP allow inline scripts

Browse Source 
script-src 'self' 'unsafe-inline' added to admin Content-Security-Policy.
default-src 'self' was blocking OverType editor init block and
the dev live-reload poller. Admin section is auth-gated so
unsafe-inline is acceptable.
This commit is contained in:
Pontoporeia
2026-04-06 16:49:14 +02:00
parent e6960f0c9c
commit b45e6c50cc
4 changed files with 21 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
TODO.md
View File

@@ -11,6 +11,10 @@ Pending tasks have been split into topic files under [`todo/`](todo/README.md):
## Recently completed (this session)
- [x] `scripts/deploy-server.sh` — add step 4: `systemctl reload nginx` runs automatically; remove manual reload instruction from justfile
- [x] `nginx/posterg.conf` — add `script-src 'self' 'unsafe-inline'` to admin CSP; `default-src 'self'` was blocking OverType init script and live-reload poller
- [x] `RateLimit.php` — silence `mkdir()` with `@`; guard `file_put_contents` with `is_writable()` check so permission errors degrade gracefully (allow request, skip write) instead of spamming nginx error log
- [x] `scripts/deploy-server.sh` + `scripts/setup-server.sh` — add `mkdir -p storage/cache/rate_limit` + `chown`/`chmod 2775` so php-fpm has write access on fresh deploys