BugFixes galore

2026-03-08 17:01:36 +01:00
parent 781f0f14fa
commit c8895c8e80
39 changed files with 2255 additions and 237 deletions
--- a/next.config.ts
+++ b/next.config.ts
@@ -28,76 +28,28 @@ const nextConfig: NextConfig = {
    ],
  },

+  // Security headers (CSP + non-CSP) are applied by proxy.ts so they can
+  // include a per-request nonce. Only static headers that don't conflict are
+  // set here for paths the middleware doesn't cover (e.g. _next/static).
  async headers() {
-    const cspDirectives = [
-      "default-src 'self'",
-      // Scripts: self + strict-dynamic (Turbopack compatible)
-      "script-src 'self' 'unsafe-inline'",
-      // Styles: self + unsafe-inline (required for Tailwind/CSS-in-JS in Next.js)
-      "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
-      // Fonts
-      "font-src 'self' https://fonts.gstatic.com data:",
-      // Images: self + data URIs + MC avatar APIs
-      "img-src 'self' data: blob: https://crafatar.com https://mc-heads.net https://visage.surgeplay.com https://minotar.net",
-      // Connect: self + WebSocket for Socket.io
-      "connect-src 'self' ws: wss:",
-      // Frames: allow same-origin (BlueMap) + configurable origins
-      "frame-src 'self'",
-      // Frame ancestors: only same origin (replaces X-Frame-Options)
-      "frame-ancestors 'self'",
-      // Workers: self + blob (xterm.js, Monaco)
-      "worker-src 'self' blob:",
-      // Media
-      "media-src 'self'",
-      // Manifest
-      "manifest-src 'self'",
-      // Object: none
-      "object-src 'none'",
-      // Base URI
-      "base-uri 'self'",
-      // Form actions
-      "form-action 'self'",
-      // Upgrade insecure requests in production
-      ...(process.env.NODE_ENV === "production"
-        ? ["upgrade-insecure-requests"]
-        : []),
-    ].join("; ");
-
-    const securityHeaders = [
-      {
-        key: "Content-Security-Policy",
-        value: cspDirectives,
-      },
-      {
-        key: "X-Frame-Options",
-        value: "SAMEORIGIN",
-      },
-      {
-        key: "X-Content-Type-Options",
-        value: "nosniff",
-      },
-      {
-        key: "Referrer-Policy",
-        value: "strict-origin-when-cross-origin",
-      },
-      {
-        key: "Permissions-Policy",
-        value: "camera=(), microphone=(), geolocation=(), browsing-topics=()",
-      },
-      {
-        key: "X-DNS-Prefetch-Control",
-        value: "on",
-      },
-      {
-        key: "Strict-Transport-Security",
-        value: "max-age=63072000; includeSubDomains; preload",
-      },
-    ];
-
    return [
      {
        source: "/(.*)",
-        headers: securityHeaders,
+        headers: [
+          // CSP is intentionally omitted here — proxy.ts owns it.
+          { key: "X-Frame-Options", value: "SAMEORIGIN" },
+          { key: "X-Content-Type-Options", value: "nosniff" },
+          { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
+          {
+            key: "Permissions-Policy",
+            value: "camera=(), microphone=(), geolocation=(), browsing-topics=()",
+          },
+          { key: "X-DNS-Prefetch-Control", value: "on" },
+          {
+            key: "Strict-Transport-Security",
+            value: "max-age=63072000; includeSubDomains; preload",
+          },
+        ],
      },
    ];
  },