pages/pages-server
1
0
Fork 0
mirror of https://codeberg.org/Codeberg/pages-server.git synced 2025-01-19 08:57:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Re-allow hosting HTML, JS & CSS from *.org

Browse source 
This resolves a regression from 5553585631 - `Content-Type: text/plain` was mistakenly set on pages like fonts.codeberg.org for HTML, JS and CSS files.
This commit is contained in:
Moritz Marquardt 2021-02-20 20:33:51 +01:00
parent 21dcda3889
commit c5115c10fd
1 changed files with 11 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
var/www/pages/index.php
View file

@ -15,7 +15,6 @@ $request_url = filter_var($request_uri, FILTER_SANITIZE_URL);
$request_url = str_replace("%20", " ", $request_url);
$request_url_parts = explode("/", $request_url);
$request_url_parts = array_diff($request_url_parts, array("")); # Remove empty parts in URL
$cors = false;
$repo = "pages";
@ -29,7 +28,8 @@ if ($tld === "org") {
if (array_key_exists($subdomain, $subdomain_repo)) {
$owner = $subdomain_repo[$subdomain][0];
$repo = $subdomain_repo[$subdomain][1];
$cors = true;
// Allow CORS requests to static *.codeberg.org pages, for web fonts etc.
header("Access-Control-Allow-Origin: *");
} else {
$owner = strtolower(array_shift($request_url_parts));
if (!$owner) {
@ -61,11 +61,18 @@ if ($tld === "org") {
$body = substr($response, $header_size);
foreach($header as $h) {
if ($h && substr($h, 0, 11) != "Set-Cookie:")
header($h);
if (substr($h, 0, 13) == "Content-Type:" && strpos($h, "text/html") !== false)
// text/html shouldn't be rendered on raw.codeberg.org, as it might confuse both users (with it being a legit codeberg.org subdomain) and developers (with it having a really strict CSP)
header(str_replace("text/html", "text/plain", $h));
else
header($h);
}
// Allow CORS
header("Access-Control-Allow-Origin: *");
// Even though text/html isn't allowed, SVG files might still invoke JavaScript, which is blocked here
header("Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox");
header("Access-Control-Allow-Origin: *");
send_response($status, $body);
die();
}
}
@ -157,12 +164,6 @@ $mime_type = "application/octet-stream";
if (array_key_exists($ext, $mime_types))
$mime_type = $mime_types[$ext];
if ($cors === true) {
header("Access-Control-Allow-Origin: *");
if ($ext === "html" || $ext === "js" || $ext === "css")
$mime_type = "text/plain";
}
header("Content-Type: " . $mime_type);
#header("Cache-Control: public, max-age=10, immutable");