john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: update CSP to allow cdnjs.cloudflare.com resources

Browse source 
## Critical Bug Fix
All CDN resources (marked.js, highlight.js) were blocked by CSP causing:
- FAQ markdown rendering failures
- No syntax highlighting for code blocks
- Plain text display instead of formatted HTML

## Changes Made

### Backend (src/server.js)
Updated helmet CSP configuration to allow cdnjs.cloudflare.com:
- scriptSrc: added https://cdnjs.cloudflare.com
- styleSrc: added https://cdnjs.cloudflare.com
- connectSrc: added https://cdnjs.cloudflare.com (was missing)
- fontSrc: added https://cdnjs.cloudflare.com

### Frontend (nginx production config)
Fixed nginx add_header inheritance issue:
- Duplicated security headers in HTML location block
- Nginx quirk: add_header in location block overrides parent headers
- Both server block AND location block now have full CSP

### Root Cause
Two-part issue:
1. CSP didn't include cdnjs.cloudflare.com (blocking external resources)
2. Nginx HTML location block used add_header, overriding parent security headers

## Testing
Verified with curl:
- Local: CSP headers include cdnjs.cloudflare.com 
- Production: CSP headers include cdnjs.cloudflare.com 

## Version
- Bumped to 1.0.6
- Force update enabled

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
TheFlow 2025-10-14 13:01:11 +13:00
parent be59c6dd52
commit f724d34f78
3 changed files with 12 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
public/service-worker.js
View file

@ -5,7 +5,7 @@
* - PWA functionality * - PWA functionality
*/ */
const CACHE_VERSION = '1.0.5'; const CACHE_VERSION = '1.0.6';
const CACHE_NAME = `tractatus-v${CACHE_VERSION}`; const CACHE_NAME = `tractatus-v${CACHE_VERSION}`;
const VERSION_CHECK_INTERVAL = 3600000; // 1 hour in milliseconds const VERSION_CHECK_INTERVAL = 3600000; // 1 hour in milliseconds

14
public/version.json
View file

@ -1,12 +1,12 @@
{ {
"version": "1.0.5", "version": "1.0.6",
"buildDate": "2025-10-14T13:15:00Z", "buildDate": "2025-10-14T13:30:00Z",
"changelog": [ "changelog": [
"Fixed inline FAQ markdown rendering with error handling", "CRITICAL FIX: Updated CSP to allow cdnjs.cloudflare.com",
"Added logging for FAQ rendering diagnostics", "Fixes marked.js and highlight.js loading failures",
"Enhanced markdown fallback for both modal and inline FAQs", "Added connectSrc, scriptSrc, styleSrc, fontSrc for CDN",
"Created inst_040: 'all' keyword requires complete coverage" "FAQ markdown rendering now works correctly"
], ],
"forceUpdate": true, "forceUpdate": true,
"minVersion": "1.0.5" "minVersion": "1.0.6"
} }

6
src/server.js
View file

@ -27,8 +27,10 @@ app.use(helmet({
contentSecurityPolicy: { contentSecurityPolicy: {
directives: { directives: {
defaultSrc: ["'self'"], defaultSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"], styleSrc: ["'self'", "'unsafe-inline'", "https://cdnjs.cloudflare.com"],
scriptSrc: ["'self'"], scriptSrc: ["'self'", "https://cdnjs.cloudflare.com"],
connectSrc: ["'self'", "https://cdnjs.cloudflare.com"],
fontSrc: ["'self'", "https://cdnjs.cloudflare.com"],
imgSrc: ["'self'", "data:", "https:"], imgSrc: ["'self'", "data:", "https:"],
}, },
}, },