diff --git a/CHANGELOG.md b/CHANGELOG.md index 3bd8d22..8bc5da2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ - Init support of Arch Linux - Fix Moodle example - Fix ROOT_FOLDER bug in serve-files.conf when using the UI +- Update default values for PERMISSIONS_POLICY and FEATURE_POLICY +- Disable COUNTRY ban if IP is local ## v1.3.1 - 2021/09/02 diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index 0051f3b..15d7e78 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -66,15 +66,16 @@ local use_remote_api = {% if USE_REMOTE_API == "yes" %}true{% else %}false{% en -- include LUA code local whitelist = require "whitelist" local blacklist = require "blacklist" -local dnsbl = require "dnsbl" +local dnsbl = require "dnsbl" local cookie = require "cookie" +local cjson = require "cjson" local javascript = require "javascript" local captcha = require "captcha" local recaptcha = require "recaptcha" local iputils = require "resty.iputils" local behavior = require "behavior" local logger = require "logger" -local redis = require "resty.redis" +local redis = require "resty.redis" local checker = require "checker" local limitreq = require "limitreq" @@ -243,7 +244,7 @@ if use_referrer and ngx.var.http_referer ~= nil then end -- check if country is allowed -if use_country and ngx.var.allowed_country == "no" then +if use_country and ngx.var.allowed_country == "no" and not iputils.ip_in_cidrs(ngx.var.remote_addr, cjson.decode(ngx.shared.reserved_ips:get("data"))) then logger.log(ngx.WARN, "COUNTRY", "Country of " .. ngx.var.remote_addr .. " is blacklisted") ngx.exit(ngx.HTTP_FORBIDDEN) end diff --git a/settings.json b/settings.json index a950868..8d947df 100644 --- a/settings.json +++ b/settings.json @@ -774,7 +774,7 @@ }, { "context": "multisite", - "default": "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'", + "default": "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none'", "env": "FEATURE_POLICY", "id": "feature-policy", "label": "Feature policy", @@ -783,7 +783,7 @@ }, { "context": "multisite", - "default": "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()", + "default": "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()", "env": "PERMISSIONS_POLICY", "id": "permissions-policy", "label": "Permissions policy", diff --git a/tests/Dockerfile-archlinux b/tests/Dockerfile-archlinux index 69b6b51..5c33931 100644 --- a/tests/Dockerfile-archlinux +++ b/tests/Dockerfile-archlinux @@ -8,3 +8,5 @@ rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ rm -f /lib/systemd/system/basic.target.wants/*;\ rm -f /lib/systemd/system/anaconda.target.wants/*; + +RUN pacman -Syu --noconfirm