From c5115c10fd150e08c7edf402c2b28598d4c538d3 Mon Sep 17 00:00:00 2001 From: Moritz Marquardt Date: Sat, 20 Feb 2021 20:33:51 +0100 Subject: [PATCH] Re-allow hosting HTML, JS & CSS from *.org This resolves a regression from 5553585631 - `Content-Type: text/plain` was mistakenly set on pages like fonts.codeberg.org for HTML, JS and CSS files. --- var/www/pages/index.php | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/var/www/pages/index.php b/var/www/pages/index.php index 9353dc7..f97524d 100644 --- a/var/www/pages/index.php +++ b/var/www/pages/index.php @@ -15,7 +15,6 @@ $request_url = filter_var($request_uri, FILTER_SANITIZE_URL); $request_url = str_replace("%20", " ", $request_url); $request_url_parts = explode("/", $request_url); $request_url_parts = array_diff($request_url_parts, array("")); # Remove empty parts in URL -$cors = false; $repo = "pages"; @@ -29,7 +28,8 @@ if ($tld === "org") { if (array_key_exists($subdomain, $subdomain_repo)) { $owner = $subdomain_repo[$subdomain][0]; $repo = $subdomain_repo[$subdomain][1]; - $cors = true; + // Allow CORS requests to static *.codeberg.org pages, for web fonts etc. + header("Access-Control-Allow-Origin: *"); } else { $owner = strtolower(array_shift($request_url_parts)); if (!$owner) { @@ -61,11 +61,18 @@ if ($tld === "org") { $body = substr($response, $header_size); foreach($header as $h) { if ($h && substr($h, 0, 11) != "Set-Cookie:") - header($h); + if (substr($h, 0, 13) == "Content-Type:" && strpos($h, "text/html") !== false) + // text/html shouldn't be rendered on raw.codeberg.org, as it might confuse both users (with it being a legit codeberg.org subdomain) and developers (with it having a really strict CSP) + header(str_replace("text/html", "text/plain", $h)); + else + header($h); } + // Allow CORS + header("Access-Control-Allow-Origin: *"); + // Even though text/html isn't allowed, SVG files might still invoke JavaScript, which is blocked here header("Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox"); - header("Access-Control-Allow-Origin: *"); send_response($status, $body); + die(); } } @@ -157,12 +164,6 @@ $mime_type = "application/octet-stream"; if (array_key_exists($ext, $mime_types)) $mime_type = $mime_types[$ext]; -if ($cors === true) { - header("Access-Control-Allow-Origin: *"); - if ($ext === "html" || $ext === "js" || $ext === "css") - $mime_type = "text/plain"; -} - header("Content-Type: " . $mime_type); #header("Cache-Control: public, max-age=10, immutable");