fix: remove CSP headers causing ERR_BLOCKED_BY_ORB (v0.6.9)

- Remove Content-Security-Policy that blocked cross-origin image loading - Remove X-Frame-Options: DENY (too strict for file CDN) - Remove X-XSS-Protection (deprecated header) - Keep minimal security headers: nosniff, Referrer-Policy, HSTS - CORS now works without conflicts for browser image requests
2025-10-04 08:55:39 +03:00
parent 9d68c0c078
commit 826172e8d2
6 changed files with 32 additions and 24 deletions
--- a/src/handlers/universal.rs
+++ b/src/handlers/universal.rs
@@ -65,7 +65,7 @@ async fn handle_get(
                // Silent 404 для сканов - без логирования
                return Ok(HttpResponse::NotFound().finish());
            }
-            
+
            // GET /{path} - получение файла через proxy
            let path_without_slash = path.trim_start_matches('/');
            let requested_res = web::Path::from(path_without_slash.to_string());
--- a/src/main.rs
+++ b/src/main.rs
@@ -71,16 +71,10 @@ async fn main() -> std::io::Result<()> {
            .supports_credentials()
            .max_age(86400); // 1 день

-        // Заголовки безопасности
+        // Заголовки безопасности (минимальные для статического CDN)
        let security_headers = DefaultHeaders::new()
            .add(("X-Content-Type-Options", "nosniff"))
-            .add(("X-Frame-Options", "DENY"))
-            .add(("X-XSS-Protection", "1; mode=block"))
            .add(("Referrer-Policy", "strict-origin-when-cross-origin"))
-            .add((
-                "Content-Security-Policy",
-                "default-src 'self'; img-src 'self' data: https:; object-src 'none';",
-            ))
            .add((
                "Strict-Transport-Security",
                "max-age=31536000; includeSubDomains",
--- a/src/security.rs
+++ b/src/security.rs
@@ -108,8 +108,8 @@ impl SecurityConfig {
            "/wlwmanifest.xml",
            "/wp-json/",
            "/wordpress/",
-            "wp-includes",  // Добавлено для любых подпапок
-            "wlwmanifest",  // Добавлено без слеша
+            "wp-includes", // Добавлено для любых подпапок
+            "wlwmanifest", // Добавлено без слеша
            // Admin panels
            "/admin",
            "/phpmyadmin",