update local modifications for cors and cp
This commit is contained in:
parent
09f7ad3614
commit
9bc593d675
|
@ -71,10 +71,13 @@ module Mastodon
|
||||||
config.middleware.insert_before 0, Rack::Cors do
|
config.middleware.insert_before 0, Rack::Cors do
|
||||||
allow do
|
allow do
|
||||||
origins '*'
|
origins '*'
|
||||||
resource '/assets/*', headers: :any, methods: [:get, :head, :options]
|
|
||||||
resource '/@:username', headers: :any, methods: [:get], credentials: false
|
resource '/@:username', headers: :any, methods: [:get], credentials: false
|
||||||
resource '/api/*', headers: :any, methods: [:post, :put, :delete, :get, :patch, :options], credentials: false, expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id']
|
resource '/api/*', headers: :any, methods: [:post, :put, :delete, :get, :patch, :options], credentials: false, expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id']
|
||||||
resource '/oauth/token', headers: :any, methods: [:post], credentials: false
|
resource '/oauth/token', headers: :any, methods: [:post], credentials: false
|
||||||
|
resource '/assets/*', headers: :any, methods: [:get, :head, :options]
|
||||||
|
resource '/stylesheets/*', headers: :any, methods: [:get, :head, :options]
|
||||||
|
resource '/javascripts/*', headers: :any, methods: [:get, :head, :options]
|
||||||
|
resource '/packs/*', headers: :any, methods: [:get, :head, :options]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -93,9 +93,12 @@ Rails.application.configure do
|
||||||
end
|
end
|
||||||
|
|
||||||
config.action_dispatch.default_headers = {
|
config.action_dispatch.default_headers = {
|
||||||
'Server' => 'Mastodon',
|
'Server' => 'Mastodon',
|
||||||
'X-Frame-Options' => 'DENY',
|
'X-Frame-Options' => 'DENY',
|
||||||
'X-Content-Type-Options' => 'nosniff',
|
'X-Content-Type-Options' => 'nosniff',
|
||||||
'X-XSS-Protection' => '1; mode=block',
|
'X-XSS-Protection' => '1; mode=block',
|
||||||
|
'Content-Security-Policy' => "frame-ancestors 'none'; object-src 'none'; script-src 'self' https://dev-static.glitch.social 'unsafe-inline'; base-uri 'none';" ,
|
||||||
|
'Referrer-Policy' => 'no-referrer, strict-origin-when-cross-origin',
|
||||||
|
'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload'
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue