@abtnode/router-provider 1.16.49-beta-20250828-094758-93e69d1f → 1.16.49-beta-20250829-075052-2563fcb3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/lib/nginx/includes/security/crs4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +10 -0
  2. package/lib/nginx/index.js +22 -12
  3. package/package.json +8 -8
package/lib/nginx/includes/security/crs4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf CHANGED
@@ -447,3 +447,13 @@ SecRule REQUEST_FILENAME "@contains /discussions/add" \
447
447
  chain"
448
448
  SecRule REQUEST_METHOD "@pm GET POST PUT" \
449
449
  "ctl:ruleEngine=Off"
450
+
451
+ # Disable header injection for static assets
452
+ SecRule REQUEST_FILENAME "@beginsWith /.blocklet/proxy" \
453
+ "id:1030,\
454
+ phase:1,\
455
+ pass,\
456
+ nolog,\
457
+ chain"
458
+ SecRule REQUEST_METHOD "@pm GET" \
459
+ "ctl:ruleEngine=Off"
package/lib/nginx/index.js CHANGED
@@ -26,6 +26,10 @@ const {
26
26
  GATEWAY_RATE_LIMIT_GLOBAL,
27
27
  GATEWAY_RATE_LIMIT,
28
28
  DOMAIN_FOR_IP_SITE_REGEXP,
29
+ CSP_OFFICIAL_SOURCES,
30
+ CSP_SYSTEM_SOURCES,
31
+ CSP_THIRD_PARTY_SOURCES,
32
+ CSP_ICONIFY_SOURCES,
29
33
  } = require('@abtnode/constant');
30
34
  const { toHex } = require('@ocap/util');
31
35
  const promiseRetry = require('promise-retry');
@@ -891,23 +895,27 @@ class NginxProvider extends BaseProvider {
891
895
 
892
896
  _ensureDaemonSecurityHeaders() {
893
897
  const securityFilePath = path.join(this.includesDir, 'daemon', 'security');
894
- const cspSources = [
895
- 'https://*.blocklet.dev',
896
- 'wss://*.blocklet.dev',
897
- 'https://didnames.io',
898
- 'https://*.did.abtnet.io',
899
- 'wss://*.did.abtnet.io',
900
- 'https://*.ip.abtnet.io',
901
- 'wss://*.ip.abtnet.io',
898
+
899
+ const cspImgSources = [
900
+ ...CSP_OFFICIAL_SOURCES,
901
+ ...CSP_SYSTEM_SOURCES,
902
+ ...CSP_THIRD_PARTY_SOURCES,
903
+ ...CSP_ICONIFY_SOURCES,
902
904
  'data:',
903
905
  'blob:',
906
+ ];
907
+ const cspConnectSources = [
908
+ ...CSP_OFFICIAL_SOURCES,
909
+ ...CSP_SYSTEM_SOURCES,
910
+ ...CSP_THIRD_PARTY_SOURCES,
911
+ ...CSP_ICONIFY_SOURCES,
904
912
  '*/__blocklet__.js',
905
913
  '*/.well-known/ping',
906
- 'https://api.simplesvg.com',
907
- 'https://api.unisvg.com',
908
- 'https://api.iconify.design',
909
914
  ];
910
- const cspPolicy = `default-src 'self'; frame-ancestors 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' ${cspSources.join(' ')}; font-src 'self' data:; connect-src 'self' ${cspSources.join(' ')} */.well-known/ping; base-uri 'self'; object-src 'none'`;
915
+
916
+ const cspFrameSources = [...CSP_OFFICIAL_SOURCES, ...CSP_SYSTEM_SOURCES];
917
+
918
+ const cspPolicy = `default-src 'self'; frame-src 'self' ${cspFrameSources.join(' ')}; frame-ancestors 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' ${cspImgSources.join(' ')}; font-src 'self' data:; connect-src 'self' ${cspConnectSources.join(' ')} */.well-known/ping; base-uri 'self'; object-src 'none'`;
911
919
  const cspLine = `add_header Content-Security-Policy "${cspPolicy}" always;`;
912
920
 
913
921
  try {
@@ -1123,6 +1131,8 @@ class NginxProvider extends BaseProvider {
1123
1131
  }) {
1124
1132
  const httpsServerUnit = this._addHttpsServerUnit({ conf, serverName, certificateFileName });
1125
1133
 
1134
+ this._addSecurityHeaders(httpsServerUnit, serviceType);
1135
+
1126
1136
  const httpServerUnit = this._addHttpServerUnit({ conf, serverName });
1127
1137
  httpServerUnit._add('return', '307 https://$host$request_uri'); // redirect to https if has https
1128
1138
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@abtnode/router-provider",
3
- "version": "1.16.49-beta-20250828-094758-93e69d1f",
3
+ "version": "1.16.49-beta-20250829-075052-2563fcb3",
4
4
  "description": "Routing engine implementations for abt node",
5
5
  "author": "polunzh <polunzh@gmail.com>",
6
6
  "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -32,14 +32,14 @@
32
32
  "url": "https://github.com/ArcBlock/blocklet-server/issues"
33
33
  },
34
34
  "dependencies": {
35
- "@abtnode/constant": "1.16.49-beta-20250828-094758-93e69d1f",
36
- "@abtnode/db-cache": "1.16.49-beta-20250828-094758-93e69d1f",
37
- "@abtnode/logger": "1.16.49-beta-20250828-094758-93e69d1f",
38
- "@abtnode/router-templates": "1.16.49-beta-20250828-094758-93e69d1f",
39
- "@abtnode/util": "1.16.49-beta-20250828-094758-93e69d1f",
35
+ "@abtnode/constant": "1.16.49-beta-20250829-075052-2563fcb3",
36
+ "@abtnode/db-cache": "1.16.49-beta-20250829-075052-2563fcb3",
37
+ "@abtnode/logger": "1.16.49-beta-20250829-075052-2563fcb3",
38
+ "@abtnode/router-templates": "1.16.49-beta-20250829-075052-2563fcb3",
39
+ "@abtnode/util": "1.16.49-beta-20250829-075052-2563fcb3",
40
40
  "@arcblock/http-proxy": "^1.19.1",
41
41
  "@arcblock/is-valid-domain": "^1.0.5",
42
- "@ocap/util": "^1.23.1",
42
+ "@ocap/util": "^1.24.0",
43
43
  "axios": "^1.7.9",
44
44
  "debug": "^4.4.1",
45
45
  "fast-glob": "^3.3.2",
@@ -62,5 +62,5 @@
62
62
  "bluebird": "^3.7.2",
63
63
  "fs-extra": "^11.2.0"
64
64
  },
65
- "gitHead": "587711a6df767cafaadbb503daeac586e22c3988"
65
+ "gitHead": "00522456124ad574b52f682e9debe33864469de0"
66
66
  }