@abtnode/router-provider 1.16.49-beta-20250828-131156-98768a61 → 1.16.49-beta-20250902-002109-7f238eb8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -447,3 +447,13 @@ SecRule REQUEST_FILENAME "@contains /discussions/add" \
|
|
|
447
447
|
chain"
|
|
448
448
|
SecRule REQUEST_METHOD "@pm GET POST PUT" \
|
|
449
449
|
"ctl:ruleEngine=Off"
|
|
450
|
+
|
|
451
|
+
# Disable header injection for static assets
|
|
452
|
+
SecRule REQUEST_FILENAME "@beginsWith /.blocklet/proxy" \
|
|
453
|
+
"id:1030,\
|
|
454
|
+
phase:1,\
|
|
455
|
+
pass,\
|
|
456
|
+
nolog,\
|
|
457
|
+
chain"
|
|
458
|
+
SecRule REQUEST_METHOD "@pm GET" \
|
|
459
|
+
"ctl:ruleEngine=Off"
|
package/lib/nginx/index.js
CHANGED
|
@@ -895,17 +895,27 @@ class NginxProvider extends BaseProvider {
|
|
|
895
895
|
|
|
896
896
|
_ensureDaemonSecurityHeaders() {
|
|
897
897
|
const securityFilePath = path.join(this.includesDir, 'daemon', 'security');
|
|
898
|
-
|
|
898
|
+
|
|
899
|
+
const cspImgSources = [
|
|
899
900
|
...CSP_OFFICIAL_SOURCES,
|
|
900
901
|
...CSP_SYSTEM_SOURCES,
|
|
901
902
|
...CSP_THIRD_PARTY_SOURCES,
|
|
902
903
|
...CSP_ICONIFY_SOURCES,
|
|
903
904
|
'data:',
|
|
904
905
|
'blob:',
|
|
906
|
+
];
|
|
907
|
+
const cspConnectSources = [
|
|
908
|
+
...CSP_OFFICIAL_SOURCES,
|
|
909
|
+
...CSP_SYSTEM_SOURCES,
|
|
910
|
+
...CSP_THIRD_PARTY_SOURCES,
|
|
911
|
+
...CSP_ICONIFY_SOURCES,
|
|
905
912
|
'*/__blocklet__.js',
|
|
906
913
|
'*/.well-known/ping',
|
|
907
914
|
];
|
|
908
|
-
|
|
915
|
+
|
|
916
|
+
const cspFrameSources = [...CSP_OFFICIAL_SOURCES, ...CSP_SYSTEM_SOURCES];
|
|
917
|
+
|
|
918
|
+
const cspPolicy = `default-src 'self'; frame-src 'self' ${cspFrameSources.join(' ')}; frame-ancestors 'self'; script-src 'self' 'unsafe-inline' ${CSP_THIRD_PARTY_SOURCES.join(' ')}; style-src 'self' 'unsafe-inline'; img-src 'self' ${cspImgSources.join(' ')}; font-src 'self' data:; connect-src 'self' ${cspConnectSources.join(' ')} */.well-known/ping; base-uri 'self'; object-src 'none'`;
|
|
909
919
|
const cspLine = `add_header Content-Security-Policy "${cspPolicy}" always;`;
|
|
910
920
|
|
|
911
921
|
try {
|
|
@@ -932,7 +942,7 @@ class NginxProvider extends BaseProvider {
|
|
|
932
942
|
'# Use "no-referrer" if you want the strictest setting.',
|
|
933
943
|
'add_header Referrer-Policy "strict-origin-when-cross-origin" always;',
|
|
934
944
|
'add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), bluetooth=(), fullscreen=(), xr-spatial-tracking=(), magnetometer=(), gyroscope=(), accelerometer=(), browsing-topics=()" always;',
|
|
935
|
-
'add_header X-Frame-Options "
|
|
945
|
+
'add_header X-Frame-Options "SAMEORIGIN" always;',
|
|
936
946
|
'# Content-Security-Policy (CSP):',
|
|
937
947
|
'# Mitigates XSS by restricting resource loading.',
|
|
938
948
|
'# This baseline only allows self-hosted resources, blocks framing,',
|
|
@@ -1121,6 +1131,9 @@ class NginxProvider extends BaseProvider {
|
|
|
1121
1131
|
}) {
|
|
1122
1132
|
const httpsServerUnit = this._addHttpsServerUnit({ conf, serverName, certificateFileName });
|
|
1123
1133
|
|
|
1134
|
+
this._addSecurityHeaders(httpsServerUnit, serviceType);
|
|
1135
|
+
httpsServerUnit._addVerbatimBlock('if ($has_multi_origin)', 'return 400;');
|
|
1136
|
+
|
|
1124
1137
|
const httpServerUnit = this._addHttpServerUnit({ conf, serverName });
|
|
1125
1138
|
httpServerUnit._add('return', '307 https://$host$request_uri'); // redirect to https if has https
|
|
1126
1139
|
|
package/lib/nginx/util.js
CHANGED
|
@@ -217,6 +217,11 @@ real_ip_recursive ${proxyPolicy?.trustRecursive ? 'on' : 'off'};`
|
|
|
217
217
|
default upgrade;
|
|
218
218
|
'' "";
|
|
219
219
|
}
|
|
220
|
+
map $http_origin $has_multi_origin {
|
|
221
|
+
default 0;
|
|
222
|
+
~*, 1;
|
|
223
|
+
}
|
|
224
|
+
|
|
220
225
|
client_body_temp_path ${path.join(tmpDir, 'client_body')};
|
|
221
226
|
proxy_temp_path ${path.join(tmpDir, 'proxy')};
|
|
222
227
|
fastcgi_temp_path ${path.join(tmpDir, 'fastcgi')};
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@abtnode/router-provider",
|
|
3
|
-
"version": "1.16.49-beta-
|
|
3
|
+
"version": "1.16.49-beta-20250902-002109-7f238eb8",
|
|
4
4
|
"description": "Routing engine implementations for abt node",
|
|
5
5
|
"author": "polunzh <polunzh@gmail.com>",
|
|
6
6
|
"homepage": "https://github.com/ArcBlock/blocklet-server#readme",
|
|
@@ -32,14 +32,14 @@
|
|
|
32
32
|
"url": "https://github.com/ArcBlock/blocklet-server/issues"
|
|
33
33
|
},
|
|
34
34
|
"dependencies": {
|
|
35
|
-
"@abtnode/constant": "1.16.49-beta-
|
|
36
|
-
"@abtnode/db-cache": "1.16.49-beta-
|
|
37
|
-
"@abtnode/logger": "1.16.49-beta-
|
|
38
|
-
"@abtnode/router-templates": "1.16.49-beta-
|
|
39
|
-
"@abtnode/util": "1.16.49-beta-
|
|
35
|
+
"@abtnode/constant": "1.16.49-beta-20250902-002109-7f238eb8",
|
|
36
|
+
"@abtnode/db-cache": "1.16.49-beta-20250902-002109-7f238eb8",
|
|
37
|
+
"@abtnode/logger": "1.16.49-beta-20250902-002109-7f238eb8",
|
|
38
|
+
"@abtnode/router-templates": "1.16.49-beta-20250902-002109-7f238eb8",
|
|
39
|
+
"@abtnode/util": "1.16.49-beta-20250902-002109-7f238eb8",
|
|
40
40
|
"@arcblock/http-proxy": "^1.19.1",
|
|
41
41
|
"@arcblock/is-valid-domain": "^1.0.5",
|
|
42
|
-
"@ocap/util": "^1.
|
|
42
|
+
"@ocap/util": "^1.24.3",
|
|
43
43
|
"axios": "^1.7.9",
|
|
44
44
|
"debug": "^4.4.1",
|
|
45
45
|
"fast-glob": "^3.3.2",
|
|
@@ -62,5 +62,5 @@
|
|
|
62
62
|
"bluebird": "^3.7.2",
|
|
63
63
|
"fs-extra": "^11.2.0"
|
|
64
64
|
},
|
|
65
|
-
"gitHead": "
|
|
65
|
+
"gitHead": "9bee8945b677d3f490bf3620b71f030a25268aa0"
|
|
66
66
|
}
|