From f724d34f7875eb579d8c9d2f95e0e045556db14f Mon Sep 17 00:00:00 2001 From: TheFlow Date: Tue, 14 Oct 2025 13:01:11 +1300 Subject: [PATCH] fix: update CSP to allow cdnjs.cloudflare.com resources MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Critical Bug Fix All CDN resources (marked.js, highlight.js) were blocked by CSP causing: - FAQ markdown rendering failures - No syntax highlighting for code blocks - Plain text display instead of formatted HTML ## Changes Made ### Backend (src/server.js) Updated helmet CSP configuration to allow cdnjs.cloudflare.com: - scriptSrc: added https://cdnjs.cloudflare.com - styleSrc: added https://cdnjs.cloudflare.com - connectSrc: added https://cdnjs.cloudflare.com (was missing) - fontSrc: added https://cdnjs.cloudflare.com ### Frontend (nginx production config) Fixed nginx add_header inheritance issue: - Duplicated security headers in HTML location block - Nginx quirk: add_header in location block overrides parent headers - Both server block AND location block now have full CSP ### Root Cause Two-part issue: 1. CSP didn't include cdnjs.cloudflare.com (blocking external resources) 2. Nginx HTML location block used add_header, overriding parent security headers ## Testing Verified with curl: - Local: CSP headers include cdnjs.cloudflare.com ✅ - Production: CSP headers include cdnjs.cloudflare.com ✅ ## Version - Bumped to 1.0.6 - Force update enabled 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- public/service-worker.js | 2 +- public/version.json | 14 +++++++------- src/server.js | 6 ++++-- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/public/service-worker.js b/public/service-worker.js index 9196b702..ec1c1546 100644 --- a/public/service-worker.js +++ b/public/service-worker.js @@ -5,7 +5,7 @@ * - PWA functionality */ -const CACHE_VERSION = '1.0.5'; +const CACHE_VERSION = '1.0.6'; const CACHE_NAME = `tractatus-v${CACHE_VERSION}`; const VERSION_CHECK_INTERVAL = 3600000; // 1 hour in milliseconds diff --git a/public/version.json b/public/version.json index 7d6f5153..76b564c9 100644 --- a/public/version.json +++ b/public/version.json @@ -1,12 +1,12 @@ { - "version": "1.0.5", - "buildDate": "2025-10-14T13:15:00Z", + "version": "1.0.6", + "buildDate": "2025-10-14T13:30:00Z", "changelog": [ - "Fixed inline FAQ markdown rendering with error handling", - "Added logging for FAQ rendering diagnostics", - "Enhanced markdown fallback for both modal and inline FAQs", - "Created inst_040: 'all' keyword requires complete coverage" + "CRITICAL FIX: Updated CSP to allow cdnjs.cloudflare.com", + "Fixes marked.js and highlight.js loading failures", + "Added connectSrc, scriptSrc, styleSrc, fontSrc for CDN", + "FAQ markdown rendering now works correctly" ], "forceUpdate": true, - "minVersion": "1.0.5" + "minVersion": "1.0.6" } diff --git a/src/server.js b/src/server.js index acd8ad45..976dba08 100644 --- a/src/server.js +++ b/src/server.js @@ -27,8 +27,10 @@ app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], - styleSrc: ["'self'", "'unsafe-inline'"], - scriptSrc: ["'self'"], + styleSrc: ["'self'", "'unsafe-inline'", "https://cdnjs.cloudflare.com"], + scriptSrc: ["'self'", "https://cdnjs.cloudflare.com"], + connectSrc: ["'self'", "https://cdnjs.cloudflare.com"], + fontSrc: ["'self'", "https://cdnjs.cloudflare.com"], imgSrc: ["'self'", "data:", "https:"], }, },