From 0c006f9afd1def78b336cc5db47e1b3284acaacc Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Mon, 15 Feb 2021 03:25:22 -0500
Subject: [PATCH] add preload headers for core fonts

---
 nginx/nginx.conf            | 10 ++++++----
 nginx/snippets/preload.conf |  4 ++++
 2 files changed, 10 insertions(+), 4 deletions(-)
 create mode 100644 nginx/snippets/preload.conf

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 6aef6e32..4e2e1372 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -208,12 +208,14 @@ http {
 
         location = /404 {
             internal;
-            http2_push /grapheneos.css?29;
+            include snippets/security-headers.conf;
+            include snippets/preload.conf;
         }
 
         location = /404.html {
             internal;
-            http2_push /grapheneos.css?29;
+            include snippets/security-headers.conf;
+            include snippets/preload.conf;
         }
 
         # broken link (now fixed) on https://noagendaphone.com/ with UTF-8 replacement character
@@ -252,15 +254,15 @@ http {
             add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'" always;
             add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), xr-spatial-tracking=()" always;
             add_header Cache-Control "public, max-age=1800";
+            include snippets/preload.conf;
             try_files $uri.html =404;
-            http2_push /grapheneos.css?29;
         }
 
         location / {
             include snippets/security-headers.conf;
             add_header Cache-Control "public, max-age=1800";
+            include snippets/preload.conf;
             try_files $uri $uri.html $uri/ =404;
-            http2_push /grapheneos.css?29;
         }
     }
 
diff --git a/nginx/snippets/preload.conf b/nginx/snippets/preload.conf
new file mode 100644
index 00000000..3d89f332
--- /dev/null
+++ b/nginx/snippets/preload.conf
@@ -0,0 +1,4 @@
+add_header Link "</grapheneos.css?29>; rel=preload; as=style" always;
+add_header Link "</fonts/roboto_latin.woff2?20>; rel=preload; as=font; crossorigin" always;
+add_header Link "</fonts/roboto_bold_latin.woff2?20>; rel=preload; as=font; crossorigin" always;
+http2_push /grapheneos.css?29;