Commit Graph

13 Commits

Author SHA1 Message Date
Tom 4fe920d12b
Handle Peertube Embeds (#1223)
* Handle peertube embeds

* Permit full screen for Rumble and PeerTube

* Use sandbox='allow-scripts' for iframes

* Restore frame-src domains

* Use endsWith

---------

Co-authored-by: ekzyis <ek@stacker.news>
2024-06-20 11:28:25 -05:00
Tom 52f57f8ac5
Embed Rumble Video (#1191)
* Render Rumble video in preview and posts

* Display Rumble video

* Remove workspace

* Add util function

* Use searchParam for id

* Update check for Rumble

* Update youtube match strings

* fix hostname conditions

---------

Co-authored-by: keyan <keyan.kousha+huumn@gmail.com>
2024-05-28 08:18:32 -05:00
ekzyis 98a27caaa9
Allow http: and ws: in dev CSP (#1126)
* Allow HTTP in dev build

* Also allow ws://
2024-05-03 14:17:10 -05:00
ekzyis 0434045f22 Refactor dev CSP logic
always uses string concatentation now
2024-03-29 15:35:25 +01:00
ekzyis b7893634ac Fix CSP commented out in middleware 2024-03-29 15:27:51 +01:00
keyan 9820055aee refine hiding bottom navbar when virtual keyboard opens 2024-03-28 18:18:44 -05:00
keyan f2ba61e64b enhance navigation 2024-03-26 18:36:31 -05:00
Keyan 23ee62fb21
add sndev shell script and enhance docker compose local dev
* add hot reloading worker:dev script

* refine docker config

* sndev bash script and docker reliability stuff

* make posix shell

* restart: always -> unless-stopped

* proper check for postgres health

* add db seed to sndev

* refinements after fresh builds

* begin adding regtest network

* add changes to .env.sample

* reorganize docker and add static certs/macroon to lnd

* copy wallet and macaroon dbs for deterministic wallets/macaroons

* fix perms of shared directories

* allow debian useradd with duplicate id

* add auto-mining

* make bitcoin health check dependent on blockheight

* open channel between ln nodes

* improve channel opens

* add sndev payinvoice

* add sndev withdraw

* ascii art

* add sndev status

* sndev passthrough to docker and containers

* add sndev psql command

* remove script logging

* small script cleanup

* smaller db seed

* pin opensearch version

Co-authored-by: ekzyis <ek@stacker.news>

* pin opensearch dashboard

Co-authored-by: ekzyis <ek@stacker.news>

* add sndev prisma

* add help for all commands

* set -e

* s3 and image proxy with broken name resolution

* finally fully working image uploads

* use a better diff algo

---------

Co-authored-by: ekzyis <ek@stacker.news>
2024-03-13 09:04:09 -05:00
keyan 2d20d1a8aa new email welcome gif 2024-03-04 21:00:28 -06:00
ekzyis 30bc3b612a
Fix comment (unsafe-eval isn't used in prod) (#825) 2024-02-14 08:45:00 -06:00
ekzyis bff9342272
Allow blob: scheme (#817) 2024-02-13 16:11:34 -06:00
ekzyis fc18a917e3
Add Content Security Policy headers (#805)
* Basic CSP with unsafe-inline, unsafe-eval

* Allow 'self' for img-src and connect-src

Apparently, there is a bug for Chrome on iOS if connect-src does not allow 'self'.

See known issues at https://caniuse.com/contentsecuritypolicy

* Use nonces for strict CSP

* More CSP comments

* Add frame-ancestors directive

* Add more useful headers

* Add HSTS header

* Allow youtube and twitter embeds

For some reason, www.youtube.com is enough. It also works for youtube.com and youtube-nocookie.com.

For twitter embeds from twitter.com or x.com, platform.twitter.com is enough.

* Allow CDN and media domain in CSP

* Only allow unsafe-eval in dev build

* Ignore _next/webpack-hmr in middleware
2024-02-13 13:10:06 -06:00
keyan 41226245c5 referrals 2022-12-19 16:27:52 -06:00