~tsileo/microblog.pub-devel

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
5 3

[PATCH microblog.pub 0/3] Small fixes

Details
Message ID
<166183229530.13477.3169246019533282793-0@git.sr.ht>
DKIM signature
missing
Download raw message
Hi @tsileo

These are just some small improvements/fixes observed:

1) The TODO comment on the inline css can now be removed
2) I hardened the CSP a bit. Some attributes such as 'frame-ancestors',
'form-action' and 'base-uri' do not inherit the default-src. Not
specifying them is the same thing as allowing them from anywhere. A
common oversight
3) A couple small typos in the install docs
4) I noticed that if I clicked on a post that one of my followers made
in reply to someone else (the latter of whom I don't follow), which was
marked 'followers-only', Microblog says 'the remote object was deleted'.
However, that's not necessarily the case: it might be that because I
don't follow that third person, I can't see their original 'followers-
only' post, only my friend's reply. Changed the wording slightly.

I'm running these changes on my instance, seems ok. I have spotted a
couple more bugs that I haven't been able to fix, and which I'll report
separately.

Miguel Jacq (3):
  Small typos in docs/install.md
  Harden the CSP a bit for values that don't inherit default-src. Set
    Permissions-Policy. Remove TODO
  'followers-only' posts are not necessarily deleted, but may not be
    viewable to the signed-in actor

 app/main.py               | 7 ++++---
 app/templates/lookup.html | 2 +-
 docs/install.md           | 4 ++--
 3 files changed, 7 insertions(+), 6 deletions(-)

-- 
2.34.4

[PATCH microblog.pub 1/3] Small typos in docs/install.md

Details
Message ID
<166183229530.13477.3169246019533282793-1@git.sr.ht>
In-Reply-To
<166183229530.13477.3169246019533282793-0@git.sr.ht> (view parent)
DKIM signature
missing
Download raw message
Patch: +2 -2
From: Miguel Jacq <mig@mig5.net>

---
 docs/install.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/install.md b/docs/install.md
index bde2871..16ff2b4 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -105,7 +105,7 @@ Setup a reverse proxy (see the next section).

### Updating 

To update microblogpub locally, pull the remote changes and run the `update` task to regeneratee the CSS and run any DB migrations.
To update microblogpub locally, pull the remote changes and run the `update` task to regenerate the CSS and run any DB migrations.

```bash
git pull
@@ -136,7 +136,7 @@ server {
    # [...]
}

# This should be oustside the `server` block
# This should be outside the `server` block
map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
-- 
2.34.4

[PATCH microblog.pub 2/3] Harden the CSP a bit for values that don't inherit default-src. Set Permissions-Policy. Remove TODO

Details
Message ID
<166183229530.13477.3169246019533282793-2@git.sr.ht>
In-Reply-To
<166183229530.13477.3169246019533282793-0@git.sr.ht> (view parent)
DKIM signature
missing
Download raw message
Patch: +4 -3
From: Miguel Jacq <mig@mig5.net>

---
 app/main.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/main.py b/app/main.py
index 63f740b..e29f2f3 100644
--- a/app/main.py
+++ b/app/main.py
@@ -132,11 +132,12 @@ class CustomMiddleware:
                ] = "no-referrer, strict-origin-when-cross-origin"
                headers["x-content-type-options"] = "nosniff"
                headers["x-xss-protection"] = "1; mode=block"
                headers["x-frame-options"] = "SAMEORIGIN"
                # TODO(ts): disallow inline CSS?
                headers["x-frame-options"] = "DENY"
                headers["permissions-policy"] = "interest-cohort=()"
                headers["content-security-policy"] = (
                    f"default-src 'self'; "
                    f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}';"
                    f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; "
                    f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
                )
                if not DEBUG:
                    headers["strict-transport-security"] = "max-age=63072000;"
-- 
2.34.4

[PATCH microblog.pub 3/3] 'followers-only' posts are not necessarily deleted, but may not be viewable to the signed-in actor

Details
Message ID
<166183229530.13477.3169246019533282793-3@git.sr.ht>
In-Reply-To
<166183229530.13477.3169246019533282793-0@git.sr.ht> (view parent)
DKIM signature
missing
Download raw message
Patch: +1 -1
From: Miguel Jacq <mig@mig5.net>

---
 app/templates/lookup.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/templates/lookup.html b/app/templates/lookup.html
index 8934683..611a944 100644
--- a/app/templates/lookup.html
+++ b/app/templates/lookup.html
@@ -19,7 +19,7 @@
    {% if error %}
    <div class="box error-box">
        {% if error.value == "NOT_FOUND" %}
        <p>The remote object was deleted.</p>
        <p>The remote object is unavailable.</p>
        {% elif error.value == "TIMEOUT" %}
        <p>Lookup timed out, please try refreshing the page.</p>
        {% else %}
-- 
2.34.4

[microblog.pub/patches/.build.yml] build success

builds.sr.ht <builds@sr.ht>
Details
Message ID
<CMJ2FTGPJMGV.3KOG8G61JW4PL@cirno2>
In-Reply-To
<166183229530.13477.3169246019533282793-3@git.sr.ht> (view parent)
DKIM signature
missing
Download raw message
microblog.pub/patches/.build.yml: SUCCESS in 2m35s

[Small fixes][0] from [~mig5][1]

[0]: https://lists.sr.ht/~tsileo/microblog.pub-devel/patches/35006
[1]: mig@mig5.net

✓ #834516 SUCCESS microblog.pub/patches/.build.yml https://builds.sr.ht/~tsileo/job/834516

Re: [PATCH microblog.pub 3/3] 'followers-only' posts are not necessarily deleted, but may not be viewable to the signed-in actor

Details
Message ID
<f4b272fd-6373-42cb-91cf-09f30693003c@www.fastmail.com>
In-Reply-To
<166183229530.13477.3169246019533282793-3@git.sr.ht> (view parent)
DKIM signature
pass
Download raw message
Hey!

Awesome thank you for your contributions, I just applied the patches!

Thanks!
Reply to thread Export thread (mbox)