Commit Graph

71 Commits

Author SHA1 Message Date
Claire 19e14654cc
Reduce CSP configuration changes with upstream (#2536) 2023-12-27 09:54:05 +01:00
Claire 6c00d5b0c4 Fix test failure caused by glitch-soc changes 2023-12-19 21:14:39 +01:00
Claire 46ddaffd40 Merge commit 'b87bfb8c96c8491f1228e0258d05119f3420db05' into glitch-soc/merge-upstream 2023-12-18 18:34:25 +01:00
Claire 33dd5d8179 Fix Ruby lint issues 2023-12-17 23:17:55 +01:00
Claire 660372d130
Revert recent CSP changes (#2485)
* Revert "Fix image and media loading when using external storage server"

This reverts commit 6cfa0245ca.

* Revert "Change glitch-soc's CSP config to match upstream's closer (#2474)"

This reverts commit d59196e170.
2023-11-26 15:32:35 +01:00
Claire 6cfa0245ca Fix image and media loading when using external storage server
Fixes #2479
2023-11-21 13:45:29 +01:00
Claire d59196e170
Change glitch-soc's CSP config to match upstream's closer (#2474) 2023-11-20 13:02:49 +01:00
Matt Jankowski c875dfc90b
Fix `Lint/UnusedBlockArgument` cop (#27777) 2023-11-09 09:43:26 +00:00
Matt Jankowski 33cc3ae8fa
Fix `Style/StabbyLambdaParentheses` cop (#27771) 2023-11-08 12:01:18 +00:00
Matt Jankowski eae5c7334a
Extract class from CSP configuration/initialization (#26905) 2023-10-27 16:20:40 +00:00
Claire 62620956d5 Merge commit '9a3d047f3e604e581e18346424569e28fc9c5b96' into glitch-soc/merge-upstream 2023-10-25 19:59:17 +02:00
Matt Jankowski 9a3d047f3e
Run `bin/rails app:update` with Rails 7.1 (#27522) 2023-10-25 13:56:09 +00:00
Claire 57c0de949b Merge commit '8b770ce8110e6cd609a6769c66210d95e291e3e5' into glitch-soc/merge-upstream
Conflicts:
- `config/initializers/content_security_policy.rb`:
  Upstream changed how asset host CSP directives are used, and glitch-soc has
  a pretty different CSP file.
  It may be worth reconsidering the differences between upstream and glitch-soc
  but for now, just port the change.
2023-10-24 19:17:20 +02:00
Claire c3e0eb3699
Change Content-Security-Policy to be tighter on media paths (#26889) 2023-10-23 14:27:07 +02:00
Claire ac2370778a Merge commit 'c676bc91e9c3aa81eb7cfbce3c5c5e80b84d3d02' into glitch-soc/merge-upstream
Conflicts:
- `config/environments/production.rb`:
  Upstream enforced a code style change and glitch-soc had a few different lines.
  Applied upstream's code style to glitch-soc's changes.
2023-10-08 17:21:12 +02:00
Nick Schonning 85db392464
Autofix Rubocop cops for config/ (#24145) 2023-10-03 15:24:12 +02:00
Georg Gadinger ebd2017524
fix Content-Security-Policy when using Azure storage (#2427) 2023-09-26 20:09:56 +02:00
Claire 5ed72f668f Merge commit 'b90383d07388fe8513e59a6deb1a2391146c6561' into glitch-soc/merge-upstream 2023-09-15 21:39:21 +02:00
Claire e193c848fe Merge commit '97e4011c3ce31c6d492d5f103e95a35b6ebdc9bd' into glitch-soc/merge-upstream
Conflicts:
- `config/initializers/content_security_policy.rb`:
  Upstream added some code to add the Identity Provider's sign-in endpoint to
  the `form-action` Content Security Policy directive but our version of the
  file is pretty different.
  Ported the change.
2023-09-15 21:25:05 +02:00
Claire a04ae16201
Fix CSP when using `ONE_CLICK_SSO_LOGIN` (#26901) 2023-09-13 19:54:04 +02:00
CSDUMMI 9a70cac9de
Fix #26849 by adding the domain of the current SSO provider to the form-action CSP (#26857) 2023-09-12 13:04:51 +02:00
Christian Schmidt 286a21afdc
Support webpacker live-reloading on Docker (#26419) 2023-08-29 10:17:57 +02:00
Claire 73a3228e0f Fix CSP tests in glitch-soc 2023-07-30 17:30:13 +02:00
Claire 993d0a9950 Merge commit '1e3b19230a48174acf524cf1a9f5a498e220ea7d' into glitch-soc/merge-upstream
Conflicts:
- `app/models/account.rb`:
  Upstream added new validations close to lines on which glitch-soc had
  modified validations to handle custom limits set through environment
  variables.
  Ported upstream changes.
- `config/initializers/content_security_policy.rb`:
  Upstream added `AZURE_ALIAS_HOST`. Glitch-soc's version of the file is
  completely different.
  Added `AZURE_ALIAS_HOST` to our version of the file.
2023-07-30 13:15:01 +02:00
Claire e5f1000ad1
Fix CSP headers being unintendedly wide (#26105) 2023-07-21 13:34:15 +02:00
Misty De Méo b848ba3867
Paperclip: add support for Azure blob storage (#23607) 2023-07-19 09:02:49 +02:00
Claire 9ae60f8738 Merge commit '82e477b184b5666fff7fb55933dce22ca2925db8' into glitch-soc/merge-upstream
Conflicts:
- `db/migrate/20180831171112_create_bookmarks.rb`:
  Upstream ran a lint fix on this file, but this file is different in
  glitch-soc because the feature was added much earlier.
  Ran the lint fix on our own version of the file.
2023-07-12 16:03:05 +02:00
Nick Schonning 1d557305d2
Enable Rubocop Style/FrozenStringLiteralComment (#23793) 2023-07-12 09:47:08 +02:00
Claire e428670e61
Fix CSP headers when S3_ALIAS_HOST includes a path component (#25273) 2023-06-05 17:35:05 +02:00
Matt Jankowski 5a2aa06a51
Fix Rails/Present cop (#24688) 2023-04-30 06:47:50 +02:00
Nick Schonning 500d6f93be
Autofix Rubocop Style/IdenticalConditionalBranches (#24322) 2023-03-31 09:33:52 +02:00
Claire 7955d4b959
Add form-action CSP directive (#20781) 2022-11-17 10:55:03 +01:00
Claire 8c56441b4a
Add form-action CSP directive (#1948) 2022-11-16 16:28:48 +01:00
Claire 1901829f9a Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `config/initializers/content_security_policy.rb`:
  Our config file is pretty different from upstream.
  Upstream changed CSP directive `script-src` to include
  `wasm-unsafe-eval` instead of `unsafe-eval`, which we
  did not include.
  Added `wasm-unsafe-eval` to `script-src` to fix
  execution of the OCR web worker.
- `package.json`:
  Upstream updated a dependency (`array-includes`) textually
  adjacent to a glitch-soc-only dependency (`atrament`).
  Updated `array-includes` as upstream did.
2022-11-16 08:30:00 +01:00
Eugen Rochko 43b0b2f3f4
Fix wrong directive `unsafe-wasm-eval` to `wasm-unsafe-eval` (#20729) 2022-11-15 03:39:06 +01:00
prplecake b46b7c3d5e
Use "unsafe-wasm-eval" instead of "unsafe-eval" in script-src CSP (#20606)
* Add "unsafe-eval" to script-src CSP

* Use 'unsafe-wasm-eval' instead of 'unsafe-eval'
2022-11-15 03:22:38 +01:00
prplecake aafbc82d88
Add "unsafe-eval" to script-src CSP (#18817) 2022-10-26 19:23:16 +02:00
Claire c79a03b319 Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `README.md`:
  Upstream changed their README, we have a completely different one.
  Kept our README.
2022-03-15 20:45:27 +01:00
Yamagishi Kazutoshi eb9a7e3626
Fix LetterOpennerWeb CSP (#17770) 2022-03-14 19:20:40 +01:00
Claire e2a2bc9021 Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `README.md`:
  Upstream updated copyright year, we don't mention it so kept our version.
- `app/controllers/admin/dashboard_controller.rb`:
  Not really a conflict, upstream change (removing the spam checker) too close
  to glitch-soc changes. Ported upstream changes.
- `app/models/form/admin_settings.rb`:
  Same.
- `app/services/remove_status_service.rb`:
  Same.
- `app/views/admin/settings/edit.html.haml`:
  Same.
- `config/settings.yml`:
  Same.
- `config/environments/production.rb`:
  Not a real conflict, upstream added a default HTTP header, but we have
  extra headers in glitch-soc.
  Added the header.
2021-04-20 12:17:14 +02:00
Eugen Rochko 3f2533ca8e
Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 02:31:20 +02:00
Claire f60c99a8fb Merge branch 'main' into glitch-soc/merge-upstream 2021-03-24 10:53:50 +01:00
Claire cbd0ee1d07
Update Mastodon to Rails 6.1 (#15910)
* Update devise-two-factor to unreleased fork for Rails 6 support

Update tests to match new `rotp` version.

* Update nsa gem to unreleased fork for Rails 6 support

* Update rails to 6.1.3 and rails-i18n to 6.0

* Update to unreleased fork of pluck_each for Ruby 6 support

* Run "rails app:update"

* Add missing ActiveStorage config file

* Use config.ssl_options instead of removed ApplicationController#force_ssl

Disabled force_ssl-related tests as they do not seem to be easily testable
anymore.

* Fix nonce directives by removing Rails 5 specific monkey-patching

* Fix fixture_file_upload deprecation warning

* Fix yield-based test failing with Rails 6

* Use Rails 6's index_with when possible

* Use ActiveRecord::Cache::Store#delete_multi from Rails 6

This will yield better performances when deleting an account

* Disable Rails 6.1's automatic preload link headers

Since Rails 6.1, ActionView adds preload links for javascript files
in the Links header per default.

In our case, that will bloat headers too much and potentially cause
issues with reverse proxies. Furhermore, we don't need those links,
as we already output them as HTML link tags.

* Switch to Rails 6.0 default config

* Switch to Rails 6.1 default config

* Do not include autoload paths in the load path
2021-03-24 10:44:31 +01:00
Thibaut Girka e9ad99bc93 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `package.json`:
  Not really a conflict, just some glitch-soc-specific dependency
  too close to an upstream-updated one.
2020-07-07 15:58:45 +02:00
ThibG a783bdf4ad
Fix hashtag column options styling (#14247)
* Enable nonces for stylesheets

* Pass nonce to react-select
2020-07-07 01:33:38 +02:00
Thibaut Girka 4a70792b4a Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `Gemfile.lock`:
  Not a real conflict, just a glitch-soc-only dependency too close to a
  dependency that got updated upstream. Updated as well.
- `app/models/status.rb`:
  Not a real conflict, just a change too close to glitch-soc-changed code
  for optionally showing boosts in public timelines.
  Applied upstream changes.
- `app/views/layouts/application.html.haml`:
  Upstream a new, static CSS file, conflict due to glitch-soc's theming
  system, include the file regardless of the theme.
- `config/initializers/content_security_policy.rb`:
  Upstream dropped 'unsafe-inline' from the 'style-src' directive, but
  both files are very different. Removed 'unsafe-inline' as well.
2020-05-10 16:19:56 +02:00
ThibG e1629a7758
Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)
* Make sure wicg-inert doesn't rely on inline CSS

* Remove unsafe-inline from style-src
2020-05-08 21:22:57 +02:00
ThibG dea5db0e25
Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) 2020-05-04 13:52:41 +02:00
Thibaut Girka f3eff922a3 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/javascript/mastodon/features/compose/components/poll_form.js`:
  Upstream bumped poll option character limit, but we already had
  a higher one, kept ours.
- `app/validators/poll_validator.rb`:
  Upstream bumped poll option character limit, but we already had
  a higher one, kept ours.
- `config/initializers/content_security_policy.rb`:
  Upstream added a rule, the way we compute ours is different, but
  that added rule has been ported.
- `package.json`:
  No real conflict, dependency update. Performed the same update.
- `yarn.lock`:
  No real conflict, dependency update. Performed the same update.
2020-04-02 20:32:00 +02:00
ThibG 7ddbbdea6d
Fix OCR not working on Safari because of unsupported worker-src CSP (#13323)
Fixes #13321
2020-03-27 22:35:57 +01:00