@abtnode/router-provider 1.16.49-beta-20250828-131156-98768a61 → 1.16.49-beta-20250829-075052-2563fcb3

package/lib/nginx/includes/security/crs4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

@@ -447,3 +447,13 @@ SecRule REQUEST_FILENAME "@contains /discussions/add" \
    chain"
    SecRule REQUEST_METHOD "@pm GET POST PUT" \
        "ctl:ruleEngine=Off"
+
+# Disable header injection for static assets
+SecRule REQUEST_FILENAME "@beginsWith /.blocklet/proxy" \
+   "id:1030,\
+   phase:1,\
+   pass,\
+   nolog,\
+   chain"
+   SecRule REQUEST_METHOD "@pm GET" \
+       "ctl:ruleEngine=Off"

package/lib/nginx/index.js

@@ -895,17 +895,27 @@ class NginxProvider extends BaseProvider {
 
   _ensureDaemonSecurityHeaders() {
     const securityFilePath = path.join(this.includesDir, 'daemon', 'security');
-    const cspSources = [
+
+    const cspImgSources = [
       ...CSP_OFFICIAL_SOURCES,
       ...CSP_SYSTEM_SOURCES,
       ...CSP_THIRD_PARTY_SOURCES,
       ...CSP_ICONIFY_SOURCES,
       'data:',
       'blob:',
+    ];
+    const cspConnectSources = [
+      ...CSP_OFFICIAL_SOURCES,
+      ...CSP_SYSTEM_SOURCES,
+      ...CSP_THIRD_PARTY_SOURCES,
+      ...CSP_ICONIFY_SOURCES,
       '*/__blocklet__.js',
       '*/.well-known/ping',
     ];
-    const cspPolicy = `default-src 'self'; frame-ancestors 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' ${cspSources.join(' ')}; font-src 'self' data:; connect-src 'self' ${cspSources.join(' ')} */.well-known/ping; base-uri 'self'; object-src 'none'`;
+
+    const cspFrameSources = [...CSP_OFFICIAL_SOURCES, ...CSP_SYSTEM_SOURCES];
+
+    const cspPolicy = `default-src 'self'; frame-src 'self' ${cspFrameSources.join(' ')}; frame-ancestors 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' ${cspImgSources.join(' ')}; font-src 'self' data:; connect-src 'self' ${cspConnectSources.join(' ')} */.well-known/ping; base-uri 'self'; object-src 'none'`;
     const cspLine = `add_header Content-Security-Policy "${cspPolicy}" always;`;
 
     try {
@@ -1121,6 +1131,8 @@ class NginxProvider extends BaseProvider {
   }) {
     const httpsServerUnit = this._addHttpsServerUnit({ conf, serverName, certificateFileName });
 
+    this._addSecurityHeaders(httpsServerUnit, serviceType);
+
     const httpServerUnit = this._addHttpServerUnit({ conf, serverName });
     httpServerUnit._add('return', '307 https://$host$request_uri'); // redirect to https if has https
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abtnode/router-provider",
-  "version": "1.16.49-beta-20250828-131156-98768a61",
+  "version": "1.16.49-beta-20250829-075052-2563fcb3",
   "description": "Routing engine implementations for abt node",
   "author": "polunzh <polunzh@gmail.com>",
   "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -32,14 +32,14 @@
     "url": "https://github.com/ArcBlock/blocklet-server/issues"
   },
   "dependencies": {
-    "@abtnode/constant": "1.16.49-beta-20250828-131156-98768a61",
-    "@abtnode/db-cache": "1.16.49-beta-20250828-131156-98768a61",
-    "@abtnode/logger": "1.16.49-beta-20250828-131156-98768a61",
-    "@abtnode/router-templates": "1.16.49-beta-20250828-131156-98768a61",
-    "@abtnode/util": "1.16.49-beta-20250828-131156-98768a61",
+    "@abtnode/constant": "1.16.49-beta-20250829-075052-2563fcb3",
+    "@abtnode/db-cache": "1.16.49-beta-20250829-075052-2563fcb3",
+    "@abtnode/logger": "1.16.49-beta-20250829-075052-2563fcb3",
+    "@abtnode/router-templates": "1.16.49-beta-20250829-075052-2563fcb3",
+    "@abtnode/util": "1.16.49-beta-20250829-075052-2563fcb3",
     "@arcblock/http-proxy": "^1.19.1",
     "@arcblock/is-valid-domain": "^1.0.5",
-    "@ocap/util": "^1.23.1",
+    "@ocap/util": "^1.24.0",
     "axios": "^1.7.9",
     "debug": "^4.4.1",
     "fast-glob": "^3.3.2",
@@ -62,5 +62,5 @@
     "bluebird": "^3.7.2",
     "fs-extra": "^11.2.0"
   },
-  "gitHead": "2d2312333cf9dd50034609c678f2fd777e0ba25a"
+  "gitHead": "00522456124ad574b52f682e9debe33864469de0"
 }