disable country ban if IP is local, update default values of PERMISSIONS_POLICY and FEATURE_POLICY, upgrade archlinux packages before testing

CHANGELOG.md

@@ -9,6 +9,8 @@
 - Init support of Arch Linux
 - Fix Moodle example
 - Fix ROOT_FOLDER bug in serve-files.conf when using the UI
+- Update default values for PERMISSIONS_POLICY and FEATURE_POLICY
+- Disable COUNTRY ban if IP is local
 
 ## v1.3.1 - 2021/09/02
 

confs/site/main-lua.conf

@@ -66,15 +66,16 @@ local use_remote_api		= {% if USE_REMOTE_API == "yes" %}true{% else %}false{% en
 -- include LUA code
 local whitelist			= require "whitelist"
 local blacklist			= require "blacklist"
-local dnsbl			= require "dnsbl"
+local dnsbl				= require "dnsbl"
 local cookie			= require "cookie"
+local cjson				= require "cjson"
 local javascript		= require "javascript"
 local captcha			= require "captcha"
 local recaptcha			= require "recaptcha"
 local iputils			= require "resty.iputils"
 local behavior			= require "behavior"
 local logger			= require "logger"
-local redis			= require "resty.redis"
+local redis				= require "resty.redis"
 local checker			= require "checker"
 local limitreq			= require "limitreq"
 
@@ -243,7 +244,7 @@ if use_referrer and ngx.var.http_referer ~= nil then
 end
 
 -- check if country is allowed
-if use_country and ngx.var.allowed_country == "no" then
+if use_country and ngx.var.allowed_country == "no" and not iputils.ip_in_cidrs(ngx.var.remote_addr, cjson.decode(ngx.shared.reserved_ips:get("data"))) then
 	logger.log(ngx.WARN, "COUNTRY", "Country of " .. ngx.var.remote_addr .. " is blacklisted")
 	ngx.exit(ngx.HTTP_FORBIDDEN)
 end

settings.json

@@ -774,7 +774,7 @@
             },
             {
                 "context": "multisite",
-                "default": "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'",
+                "default": "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none'",
                 "env": "FEATURE_POLICY",
                 "id": "feature-policy",
                 "label": "Feature policy",
@@ -783,7 +783,7 @@
             },
             {
                 "context": "multisite",
-                "default": "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()",
+                "default": "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()",
                 "env": "PERMISSIONS_POLICY",
                 "id": "permissions-policy",
                 "label": "Permissions policy",

tests/Dockerfile-archlinux

@@ -8,3 +8,5 @@ rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*;
+
+RUN pacman -Syu --noconfirm