hakurei.app

Author	SHA1	Message	Date
smdyv	4430036ea2	Change string markings for replacements	2023-07-13 16:08:16 -04:00
Daniel Micay	fafee3dcbc	drop legacy block-all-mixed-content	2023-07-11 11:23:57 -04:00
Daniel Micay	bfdffb6751	block WebRTC in Content Security Policy	2023-07-10 23:04:29 -04:00
Daniel Micay	8f2b158041	drop configuration to clear legacy push cookie	2023-03-24 18:46:50 -04:00
Daniel Micay	8649a94b53	update Roboto fonts	2023-03-06 11:41:01 -05:00
Daniel Micay	1bc589d45f	drop HTTP/2 Push support since Chromium dropped it This only improves performance for the initial page load by sending resources that are almost always needed before the client receives the preload headers and fetches them. It can degrade performance in some edge cases such as clients with web fonts disabled or if the session cookie is cleared without the cache being cleared. Clients can cancel the push transfers once they start receiving them, but it's wasteful. Safari and Firefox still support this feature but are likely to follow the lead of Chromium and drop support for it. Few websites are going to bother with it without Chromium support and usage is already dropping.	2023-02-10 03:56:20 -05:00
Daniel Micay	28262ab2b7	disable bluetooth in Permissions Policy	2022-10-11 12:09:01 -04:00
Daniel Micay	b03215be9d	disable keyboard-map in Permissions Policy	2022-10-11 11:25:19 -04:00
Daniel Micay	7d0ad1a4de	disable local-fonts in Permissions Policy	2022-10-11 11:15:10 -04:00
Daniel Micay	3991e51b7e	remove legacy Expect-CT header	2022-08-25 23:15:08 -04:00
Rohan Kumar	d6fd0df002	Add "Origin-Agent-Cluster" header Hint to browsers that we prefer per-origin process isolation. This disables certain unsafe features regarding cross-origin same-site resource sharing. https://web.dev/origin-agent-cluster/#limitations Specification link: https://html.spec.whatwg.org/multipage/origin.html#origin-keyed-agent-clusters This is just a hint to browsers. Depending on resource availability, they may or may not actually allocate a process. For this reason, it's not a robust security feature although it is preferable. This header needs to be active on all pages from an origin for it to work.	2022-08-25 23:15:08 -04:00
Daniel Micay	e7efc21340	drop configuration for clearing legacy push cookie	2022-05-03 00:25:07 -04:00
June	b77821f4a5	add gamepad and speaker-selection to permissions policy Signed-off-by: June <zanthed@riseup.net>	2022-04-18 17:06:28 -04:00
Daniel Micay	1bfe29f2eb	rename push cookie for clarity	2021-12-11 10:18:04 -05:00
Daniel Micay	a9a1a3987a	add preload/push for main page phone image	2021-12-11 09:50:51 -05:00
Daniel Micay	ebbf002a73	disable legacy X-XSS-Protection feature	2021-12-10 04:30:34 -05:00
Daniel Micay	7010b230c5	use http2_push instead of http2_push_preload This avoids needing to conditionally add nopush to each preloaded resource in the Link header. There's also no support for pushing JavaScript modules via http2_push_preload since nginx doesn't have support for rel=modulepreload.	2021-12-05 02:48:44 -05:00
Daniel Micay	fddfa68695	avoid sending unnecessary push cookie	2021-12-04 07:59:53 -05:00
Daniel Micay	fd59a56501	disable idle-detection in Permissions-Policy	2021-11-24 02:10:25 -05:00
Daniel Micay	2d079162d4	mark Expect-CT as largely obsolete	2021-06-08 12:27:04 -04:00
Daniel Micay	5e83027d04	disable unused Clipboard API features	2021-04-18 00:49:50 -04:00
Daniel Micay	1f027a3fce	disable unused hid (WebHID API) feature	2021-04-18 00:40:47 -04:00
Daniel Micay	380e34f435	disable unused serial (Web Serial API) feature	2021-04-18 00:37:16 -04:00
Daniel Micay	3584a627f8	disable interest-cohort feature	2021-04-18 00:34:46 -04:00
Daniel Micay	3cfe562892	enforce strict Trusted Types without policies	2021-03-26 13:44:32 -04:00
Daniel Micay	a0d93f3375	explicitly set SameSite for preload session cookie	2021-03-23 10:46:50 -04:00
Daniel Micay	f298ee4b2b	use once per session preload / push	2021-02-15 04:23:56 -05:00
Daniel Micay	ba302d9f86	use a single Link header for preloading	2021-02-15 03:41:54 -05:00
Daniel Micay	0c006f9afd	add preload headers for core fonts	2021-02-15 03:25:22 -05:00
Daniel Micay	57f77c96cb	drop support for obsolete Feature-Policy header This has been replaced by Permissions-Policy.	2021-01-26 10:58:00 -05:00
Daniel Micay	548b13c09d	temporarily disable Trusted Types for web-install This can be enabled again when the zip library supports it.	2021-01-23 20:56:05 -05:00
Daniel Micay	fe063f50fe	add foundation for WebUSB-based install page	2021-01-05 05:34:45 -05:00
Daniel Micay	d0f56dc6ab	document deprecated/obsolete headers	2020-12-31 21:31:07 -05:00
Daniel Micay	dbee9a704c	move TLS configuration into nginx.conf	2020-11-14 04:23:19 -05:00
Daniel Micay	d03e7c28b4	add require-trusted-types-for 'script' to CSP	2020-10-27 04:44:58 -04:00
Daniel Micay	e806721d7c	add COOP / COEP headers	2020-10-27 04:20:17 -04:00
Daniel Micay	701ed6f301	add Permissions-Policy header	2020-10-03 20:53:38 -04:00
Daniel Micay	99b4037444	disable unused publickey-credentials-get feature	2020-09-27 19:10:27 -04:00
Daniel Micay	f59b4f2310	remove unused Feature-Policy speaker directive	2020-09-27 19:07:05 -04:00
Daniel Micay	c0f510be06	handle Feature-Policy standard renaming wake-lock	2020-09-27 18:54:00 -04:00
Daniel Micay	6d04912ef7	drop (unfortunately) obsolete HPKP support	2020-09-27 16:12:11 -04:00
Daniel Micay	27b24277e1	drop usage of report-uri for Expect-CT and CSP This has proven to be unhelpful and we don't need this kind of reporting with the simplicity of the site and policies.	2020-07-22 18:41:59 -04:00
Daniel Micay	2343434d83	stop pinning IdenTrust root that's on the way out	2020-04-19 19:20:43 -04:00
Daniel Micay	eb1566f6a1	switch HPKP backup pins	2020-04-07 14:39:56 -04:00
Daniel Micay	ef179138fa	certbot-ocsp-fetcher for reliable OCSP stapling	2020-04-05 04:13:05 -04:00
Daniel Micay	3e4ee0cb28	move nginx https setup into a snippet	2020-04-01 10:30:30 -04:00
Daniel Micay	5a923bd1bb	remove obsolete HPKP report-uri URL	2020-04-01 08:47:16 -04:00
Daniel Micay	9c1ebdd0d8	add nginx configuration	2020-04-01 03:12:09 -04:00

48 Commits