fix: remove CSP headers causing ERR_BLOCKED_BY_ORB (v0.6.9)
Some checks failed
Deploy quoter Microservice on push / deploy (push) Has been cancelled
Some checks failed
Deploy quoter Microservice on push / deploy (push) Has been cancelled
- Remove Content-Security-Policy that blocked cross-origin image loading - Remove X-Frame-Options: DENY (too strict for file CDN) - Remove X-XSS-Protection (deprecated header) - Keep minimal security headers: nosniff, Referrer-Policy, HSTS - CORS now works without conflicts for browser image requests
This commit is contained in:
14
CHANGELOG.md
14
CHANGELOG.md
@@ -1,3 +1,17 @@
|
||||
## [0.6.9] - 2025-10-04
|
||||
|
||||
### 🔒 Fixed: ERR_BLOCKED_BY_ORB
|
||||
- **❌ Убран CSP**: Удален `Content-Security-Policy` заголовок, который блокировал кросс-ориджин загрузку изображений
|
||||
- **❌ Убран X-Frame-Options**: DENY был излишне строгим для файлового CDN
|
||||
- **❌ Убран X-XSS-Protection**: Устаревший заголовок, не нужный для статики
|
||||
- **✅ Минимальные security headers**: Оставлены только `X-Content-Type-Options: nosniff`, `Referrer-Policy`, `HSTS`
|
||||
- **✅ CORS работает**: Теперь изображения корректно загружаются из браузера без ORB блокировки
|
||||
|
||||
### Technical Details
|
||||
- `src/main.rs`: Упрощены security headers для файлового CDN
|
||||
- CSP конфликтовал с CORS и вызывал ERR_BLOCKED_BY_ORB в Chrome/Edge
|
||||
- Файловый сервер не нуждается в защите от XSS/Clickjacking (нет HTML контента)
|
||||
|
||||
## [0.6.8] - 2025-10-03
|
||||
|
||||
### 🔒 Security: Early Scan Rejection
|
||||
|
||||
22
Cargo.lock
generated
22
Cargo.lock
generated
@@ -392,9 +392,9 @@ checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26"
|
||||
|
||||
[[package]]
|
||||
name = "aws-config"
|
||||
version = "1.8.6"
|
||||
version = "1.8.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8bc1b40fb26027769f16960d2f4a6bc20c4bb755d403e552c8c1a73af433c246"
|
||||
checksum = "04b37ddf8d2e9744a0b9c19ce0b78efe4795339a90b66b7bae77987092cd2e69"
|
||||
dependencies = [
|
||||
"aws-credential-types",
|
||||
"aws-runtime",
|
||||
@@ -417,9 +417,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "aws-credential-types"
|
||||
version = "1.2.6"
|
||||
version = "1.2.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d025db5d9f52cbc413b167136afb3d8aeea708c0d8884783cf6253be5e22f6f2"
|
||||
checksum = "799a1290207254984cb7c05245111bc77958b92a3c9bb449598044b36341cce6"
|
||||
dependencies = [
|
||||
"aws-smithy-async",
|
||||
"aws-smithy-runtime-api",
|
||||
@@ -452,9 +452,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "aws-runtime"
|
||||
version = "1.5.10"
|
||||
version = "1.5.11"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c034a1bc1d70e16e7f4e4caf7e9f7693e4c9c24cd91cf17c2a0b21abaebc7c8b"
|
||||
checksum = "2e1ed337dabcf765ad5f2fb426f13af22d576328aaf09eac8f70953530798ec0"
|
||||
dependencies = [
|
||||
"aws-credential-types",
|
||||
"aws-sigv4",
|
||||
@@ -477,9 +477,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "aws-sdk-s3"
|
||||
version = "1.106.0"
|
||||
version = "1.107.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "2c230530df49ed3f2b7b4d9c8613b72a04cdac6452eede16d587fc62addfabac"
|
||||
checksum = "adb9118b3454ba89b30df55931a1fa7605260fc648e070b5aab402c24b375b1f"
|
||||
dependencies = [
|
||||
"aws-credential-types",
|
||||
"aws-runtime",
|
||||
@@ -511,9 +511,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "aws-sdk-sts"
|
||||
version = "1.85.0"
|
||||
version = "1.87.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "410309ad0df4606bc721aff0d89c3407682845453247213a0ccc5ff8801ee107"
|
||||
checksum = "5871bec9a79a3e8d928c7788d654f135dde0e71d2dd98089388bab36b37ef607"
|
||||
dependencies = [
|
||||
"aws-credential-types",
|
||||
"aws-runtime",
|
||||
@@ -2890,7 +2890,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "quoter"
|
||||
version = "0.6.8"
|
||||
version = "0.6.9"
|
||||
dependencies = [
|
||||
"actix",
|
||||
"actix-cors",
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "quoter"
|
||||
version = "0.6.8"
|
||||
version = "0.6.9"
|
||||
edition = "2024"
|
||||
|
||||
[dependencies]
|
||||
@@ -15,12 +15,12 @@ redis = { version = "0.32.7", features = ["tokio-comp"] }
|
||||
tokio = { version = "1.47.1", features = ["rt-multi-thread", "macros", "fs", "net"] }
|
||||
serde = { version = "1.0.228", features = ["derive"] }
|
||||
sentry-actix = { version = "0.43", default-features = false }
|
||||
aws-sdk-s3 = { version = "1.106.0", default-features = false, features = ["rt-tokio", "rustls"] }
|
||||
aws-sdk-s3 = { version = "1.107.0", default-features = false, features = ["rt-tokio", "rustls"] }
|
||||
image = { version = "0.25.8", default-features = false, features = ["jpeg", "png", "webp", "tiff"] }
|
||||
mime_guess = "2.0.5"
|
||||
md5 = "0.8.0"
|
||||
url = "2.5.7"
|
||||
aws-config = { version = "1.8.6", default-features = false, features = ["rt-tokio", "rustls"] }
|
||||
aws-config = { version = "1.8.7", default-features = false, features = ["rt-tokio", "rustls"] }
|
||||
actix-multipart = "0.7.2"
|
||||
log = "0.4.28"
|
||||
env_logger = "0.11.8"
|
||||
|
||||
@@ -65,7 +65,7 @@ async fn handle_get(
|
||||
// Silent 404 для сканов - без логирования
|
||||
return Ok(HttpResponse::NotFound().finish());
|
||||
}
|
||||
|
||||
|
||||
// GET /{path} - получение файла через proxy
|
||||
let path_without_slash = path.trim_start_matches('/');
|
||||
let requested_res = web::Path::from(path_without_slash.to_string());
|
||||
|
||||
@@ -71,16 +71,10 @@ async fn main() -> std::io::Result<()> {
|
||||
.supports_credentials()
|
||||
.max_age(86400); // 1 день
|
||||
|
||||
// Заголовки безопасности
|
||||
// Заголовки безопасности (минимальные для статического CDN)
|
||||
let security_headers = DefaultHeaders::new()
|
||||
.add(("X-Content-Type-Options", "nosniff"))
|
||||
.add(("X-Frame-Options", "DENY"))
|
||||
.add(("X-XSS-Protection", "1; mode=block"))
|
||||
.add(("Referrer-Policy", "strict-origin-when-cross-origin"))
|
||||
.add((
|
||||
"Content-Security-Policy",
|
||||
"default-src 'self'; img-src 'self' data: https:; object-src 'none';",
|
||||
))
|
||||
.add((
|
||||
"Strict-Transport-Security",
|
||||
"max-age=31536000; includeSubDomains",
|
||||
|
||||
@@ -108,8 +108,8 @@ impl SecurityConfig {
|
||||
"/wlwmanifest.xml",
|
||||
"/wp-json/",
|
||||
"/wordpress/",
|
||||
"wp-includes", // Добавлено для любых подпапок
|
||||
"wlwmanifest", // Добавлено без слеша
|
||||
"wp-includes", // Добавлено для любых подпапок
|
||||
"wlwmanifest", // Добавлено без слеша
|
||||
// Admin panels
|
||||
"/admin",
|
||||
"/phpmyadmin",
|
||||
|
||||
Reference in New Issue
Block a user