john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/public
History
TheFlow 6a0e7f2f9c fix: update CSP to allow cdnjs.cloudflare.com resources 
## Critical Bug Fix
All CDN resources (marked.js, highlight.js) were blocked by CSP causing:
- FAQ markdown rendering failures
- No syntax highlighting for code blocks
- Plain text display instead of formatted HTML

## Changes Made

### Backend (src/server.js)
Updated helmet CSP configuration to allow cdnjs.cloudflare.com:
- scriptSrc: added https://cdnjs.cloudflare.com
- styleSrc: added https://cdnjs.cloudflare.com
- connectSrc: added https://cdnjs.cloudflare.com (was missing)
- fontSrc: added https://cdnjs.cloudflare.com

### Frontend (nginx production config)
Fixed nginx add_header inheritance issue:
- Duplicated security headers in HTML location block
- Nginx quirk: add_header in location block overrides parent headers
- Both server block AND location block now have full CSP

### Root Cause
Two-part issue:
1. CSP didn't include cdnjs.cloudflare.com (blocking external resources)
2. Nginx HTML location block used add_header, overriding parent security headers

## Testing
Verified with curl:
- Local: CSP headers include cdnjs.cloudflare.com 
- Production: CSP headers include cdnjs.cloudflare.com 

## Version
- Bumped to 1.0.6
- Force update enabled

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-14 13:01:11 +13:00
..
.well-known security: comprehensive security audit and hardening 2025-10-10 05:34:40 +13:00
about feat: comprehensive accessibility improvements (WCAG 2.1 AA) 2025-10-12 07:08:40 +13:00
admin docs: update implementation roadmap and UI pages 2025-10-12 16:37:58 +13:00
css fix(ui): rebuild Tailwind CSS with tooltip classes and update cache to v1.0.4 2025-10-09 09:53:07 +13:00
demos feat: comprehensive accessibility improvements (WCAG 2.1 AA) 2025-10-12 07:08:40 +13:00
downloads docs: regenerate PDFs and update documentation metadata 2025-10-14 10:53:48 +13:00
images feat: add runtime-agnostic architecture page with honest early-stage positioning 2025-10-13 21:51:58 +13:00
js fix: inline FAQ markdown rendering and add inst_040 2025-10-14 12:51:08 +13:00
koha feat: complete Priority 2 - Enhanced Koha Transparency Dashboard 2025-10-11 17:14:34 +13:00
about.html fix: FAQ modal scrolling and standardize footers 2025-10-14 12:46:23 +13:00
api-reference.html chore: cache busting for document review updates 2025-10-12 20:42:46 +13:00
architecture.html feat: add runtime-agnostic architecture page with honest early-stage positioning 2025-10-13 21:51:58 +13:00
blog-post.html chore: cache busting for document review updates 2025-10-12 20:42:46 +13:00
blog.html chore: cache busting for document review updates 2025-10-12 20:42:46 +13:00
case-submission.html fix: FAQ modal scrolling and standardize footers 2025-10-14 12:46:23 +13:00
check-version.html feat: fix documentation system - cards, PDFs, TOC, and navigation 2025-10-07 22:51:55 +13:00
docs-viewer.html chore: cache busting for document review updates 2025-10-12 20:42:46 +13:00
docs.html feat: add version control system and PWA support 2025-10-14 10:53:29 +13:00
faq.html fix: inline FAQ markdown rendering and add inst_040 2025-10-14 12:51:08 +13:00
favicon.ico feat: implement Rule Manager and Project Manager admin systems 2025-10-11 17:16:51 +13:00
favicon.svg feat: comprehensive documentation improvements and GitHub integration 2025-10-09 14:33:14 +13:00
implementer.html fix: FAQ modal scrolling and standardize footers 2025-10-14 12:46:23 +13:00
index.html feat: add version control system and PWA support 2025-10-14 10:53:29 +13:00
koha.html chore: cache busting for document review updates 2025-10-12 20:42:46 +13:00
leader.html fix: FAQ modal scrolling and standardize footers 2025-10-14 12:46:23 +13:00
manifest.json feat: add version control system and PWA support 2025-10-14 10:53:29 +13:00
media-inquiry.html fix: FAQ modal scrolling and standardize footers 2025-10-14 12:46:23 +13:00
media-triage-transparency.html feat: comprehensive accessibility improvements (WCAG 2.1 AA) 2025-10-12 07:08:40 +13:00
privacy.html chore: cache busting for document review updates 2025-10-12 20:42:46 +13:00
researcher.html fix: FAQ modal scrolling and standardize footers 2025-10-14 12:46:23 +13:00
service-worker.js fix: update CSP to allow cdnjs.cloudflare.com resources 2025-10-14 13:01:11 +13:00
version.json fix: update CSP to allow cdnjs.cloudflare.com resources 2025-10-14 13:01:11 +13:00