From 826172e8d2165730f362082a3421364933b39aa3 Mon Sep 17 00:00:00 2001
From: Untone <anton.rewin@gmail.com>
Date: Sat, 4 Oct 2025 08:55:39 +0300
Subject: [PATCH] fix: remove CSP headers causing ERR_BLOCKED_BY_ORB (v0.6.9)

- Remove Content-Security-Policy that blocked cross-origin image loading
- Remove X-Frame-Options: DENY (too strict for file CDN)
- Remove X-XSS-Protection (deprecated header)
- Keep minimal security headers: nosniff, Referrer-Policy, HSTS
- CORS now works without conflicts for browser image requests
---
 CHANGELOG.md              | 14 ++++++++++++++
 Cargo.lock                | 22 +++++++++++-----------
 Cargo.toml                |  6 +++---
 src/handlers/universal.rs |  2 +-
 src/main.rs               |  8 +-------
 src/security.rs           |  4 ++--
 6 files changed, 32 insertions(+), 24 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5fec14b..1dbf18a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,17 @@
+## [0.6.9] - 2025-10-04
+
+### 🔒 Fixed: ERR_BLOCKED_BY_ORB
+- **❌ Убран CSP**: Удален `Content-Security-Policy` заголовок, который блокировал кросс-ориджин загрузку изображений
+- **❌ Убран X-Frame-Options**: DENY был излишне строгим для файлового CDN
+- **❌ Убран X-XSS-Protection**: Устаревший заголовок, не нужный для статики
+- **✅ Минимальные security headers**: Оставлены только `X-Content-Type-Options: nosniff`, `Referrer-Policy`, `HSTS`
+- **✅ CORS работает**: Теперь изображения корректно загружаются из браузера без ORB блокировки
+
+### Technical Details
+- `src/main.rs`: Упрощены security headers для файлового CDN
+- CSP конфликтовал с CORS и вызывал ERR_BLOCKED_BY_ORB в Chrome/Edge
+- Файловый сервер не нуждается в защите от XSS/Clickjacking (нет HTML контента)
+
 ## [0.6.8] - 2025-10-03
 
 ### 🔒 Security: Early Scan Rejection
diff --git a/Cargo.lock b/Cargo.lock
index cec8798..8959271 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -392,9 +392,9 @@ checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26"
 
 [[package]]
 name = "aws-config"
-version = "1.8.6"
+version = "1.8.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8bc1b40fb26027769f16960d2f4a6bc20c4bb755d403e552c8c1a73af433c246"
+checksum = "04b37ddf8d2e9744a0b9c19ce0b78efe4795339a90b66b7bae77987092cd2e69"
 dependencies = [
  "aws-credential-types",
  "aws-runtime",
@@ -417,9 +417,9 @@ dependencies = [
 
 [[package]]
 name = "aws-credential-types"
-version = "1.2.6"
+version = "1.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d025db5d9f52cbc413b167136afb3d8aeea708c0d8884783cf6253be5e22f6f2"
+checksum = "799a1290207254984cb7c05245111bc77958b92a3c9bb449598044b36341cce6"
 dependencies = [
  "aws-smithy-async",
  "aws-smithy-runtime-api",
@@ -452,9 +452,9 @@ dependencies = [
 
 [[package]]
 name = "aws-runtime"
-version = "1.5.10"
+version = "1.5.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c034a1bc1d70e16e7f4e4caf7e9f7693e4c9c24cd91cf17c2a0b21abaebc7c8b"
+checksum = "2e1ed337dabcf765ad5f2fb426f13af22d576328aaf09eac8f70953530798ec0"
 dependencies = [
  "aws-credential-types",
  "aws-sigv4",
@@ -477,9 +477,9 @@ dependencies = [
 
 [[package]]
 name = "aws-sdk-s3"
-version = "1.106.0"
+version = "1.107.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2c230530df49ed3f2b7b4d9c8613b72a04cdac6452eede16d587fc62addfabac"
+checksum = "adb9118b3454ba89b30df55931a1fa7605260fc648e070b5aab402c24b375b1f"
 dependencies = [
  "aws-credential-types",
  "aws-runtime",
@@ -511,9 +511,9 @@ dependencies = [
 
 [[package]]
 name = "aws-sdk-sts"
-version = "1.85.0"
+version = "1.87.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "410309ad0df4606bc721aff0d89c3407682845453247213a0ccc5ff8801ee107"
+checksum = "5871bec9a79a3e8d928c7788d654f135dde0e71d2dd98089388bab36b37ef607"
 dependencies = [
  "aws-credential-types",
  "aws-runtime",
@@ -2890,7 +2890,7 @@ dependencies = [
 
 [[package]]
 name = "quoter"
-version = "0.6.8"
+version = "0.6.9"
 dependencies = [
  "actix",
  "actix-cors",
diff --git a/Cargo.toml b/Cargo.toml
index 192eabd..31ac60f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "quoter"
-version = "0.6.8"
+version = "0.6.9"
 edition = "2024"
 
 [dependencies]
@@ -15,12 +15,12 @@ redis = { version = "0.32.7", features = ["tokio-comp"] }
 tokio = { version = "1.47.1", features = ["rt-multi-thread", "macros", "fs", "net"] }
 serde = { version = "1.0.228", features = ["derive"] }
 sentry-actix = { version = "0.43", default-features = false }
-aws-sdk-s3 = { version = "1.106.0", default-features = false, features = ["rt-tokio", "rustls"] }
+aws-sdk-s3 = { version = "1.107.0", default-features = false, features = ["rt-tokio", "rustls"] }
 image = { version = "0.25.8", default-features = false, features = ["jpeg", "png", "webp", "tiff"] }
 mime_guess = "2.0.5"
 md5 = "0.8.0"
 url = "2.5.7"
-aws-config = { version = "1.8.6", default-features = false, features = ["rt-tokio", "rustls"] }
+aws-config = { version = "1.8.7", default-features = false, features = ["rt-tokio", "rustls"] }
 actix-multipart = "0.7.2"
 log = "0.4.28"
 env_logger = "0.11.8"
diff --git a/src/handlers/universal.rs b/src/handlers/universal.rs
index e5ceb72..34df3b3 100644
--- a/src/handlers/universal.rs
+++ b/src/handlers/universal.rs
@@ -65,7 +65,7 @@ async fn handle_get(
                 // Silent 404 для сканов - без логирования
                 return Ok(HttpResponse::NotFound().finish());
             }
-            
+
             // GET /{path} - получение файла через proxy
             let path_without_slash = path.trim_start_matches('/');
             let requested_res = web::Path::from(path_without_slash.to_string());
diff --git a/src/main.rs b/src/main.rs
index 17b6b4f..bdae053 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -71,16 +71,10 @@ async fn main() -> std::io::Result<()> {
             .supports_credentials()
             .max_age(86400); // 1 день
 
-        // Заголовки безопасности
+        // Заголовки безопасности (минимальные для статического CDN)
         let security_headers = DefaultHeaders::new()
             .add(("X-Content-Type-Options", "nosniff"))
-            .add(("X-Frame-Options", "DENY"))
-            .add(("X-XSS-Protection", "1; mode=block"))
             .add(("Referrer-Policy", "strict-origin-when-cross-origin"))
-            .add((
-                "Content-Security-Policy",
-                "default-src 'self'; img-src 'self' data: https:; object-src 'none';",
-            ))
             .add((
                 "Strict-Transport-Security",
                 "max-age=31536000; includeSubDomains",
diff --git a/src/security.rs b/src/security.rs
index 458637a..231f20e 100644
--- a/src/security.rs
+++ b/src/security.rs
@@ -108,8 +108,8 @@ impl SecurityConfig {
             "/wlwmanifest.xml",
             "/wp-json/",
             "/wordpress/",
-            "wp-includes",  // Добавлено для любых подпапок
-            "wlwmanifest",  // Добавлено без слеша
+            "wp-includes", // Добавлено для любых подпапок
+            "wlwmanifest", // Добавлено без слеша
             // Admin panels
             "/admin",
             "/phpmyadmin",