Closes #193 Migrate three inline-style React props to CSS classes / CSSOM: - ErrorExpansion: cursor:copy and copy-hint color moved to BEM classes - SegmentedControl: dynamic transform now driven by --ec-segment-offset CSS var, set via useLayoutEffect + ref.style.setProperty Remove 'unsafe-inline' from style-src in all three enforcement layers: - vite.config.web.ts (prod only; dev keeps it for HMR) - nginx.conf (both CSP directives) - public/_headers (Cloudflare Pages) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
51 lines
2 KiB
Nginx Configuration File
51 lines
2 KiB
Nginx Configuration File
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
gzip on;
|
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/wasm;
|
|
gzip_min_length 1024;
|
|
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# Required for SharedArrayBuffer (multi-threaded WASM)
|
|
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
|
add_header Cross-Origin-Embedder-Policy "require-corp" always;
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Referrer-Policy "no-referrer" always;
|
|
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; worker-src 'self' blob:; manifest-src 'self'; base-uri 'none'; frame-ancestors 'none'" always;
|
|
|
|
# Cache static assets (hashed filenames) for 1 year
|
|
location /assets/ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
|
add_header Cross-Origin-Embedder-Policy "require-corp" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; worker-src 'self' blob:; manifest-src 'self'; base-uri 'none'; frame-ancestors 'none'" always;
|
|
}
|
|
|
|
# Service worker — no cache (must always be fresh)
|
|
location /sw.js {
|
|
expires -1;
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate";
|
|
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
|
add_header Cross-Origin-Embedder-Policy "require-corp" always;
|
|
}
|
|
|
|
# SPA fallback — all routes serve index.html
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
}
|
|
}
|