Skip to content

Fix security headers#4158

Merged
ildyria merged 1 commit intomasterfrom
fix-redirection-unsafe
Mar 8, 2026
Merged

Fix security headers#4158
ildyria merged 1 commit intomasterfrom
fix-redirection-unsafe

Conversation

@ildyria
Copy link
Member

@ildyria ildyria commented Mar 8, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores

    • Updated security policy configuration

  • Refactor

    • Modified gallery navigation to construct URLs dynamically on the client side for improved deployment flexibility

@ildyria ildyria requested a review from a team as a code owner March 8, 2026 14:23
@coderabbitai
Copy link

coderabbitai bot commented Mar 8, 2026
edited
Loading

📝 Walkthrough

Walkthrough

A CSP script-src hash value was updated in the secure headers configuration, and JavaScript in a Vue application view was refactored to construct gallery navigation URLs client-side using the document base URL instead of server-generated Laravel route() calls.

Changes

Cohort / File(s) Summary
Security Headers Configuration
config/secure-headers.php		 Updated CSP script-src hash value from okzzdI+OgeNYCr3oJXDZ/rPI5WwGyiU5V/RwOQrv5zE= to /YUD5b5Ze0TEXHUw/Vl3MbJXEKRQ1Hg6jBoeNlyFnec=.
Vue Application View
resources/views/vueapp.blade.php		 Extracted base URL from document base href and replaced server-generated Laravel route() calls with client-side URL construction for photo and album gallery navigation endpoints.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A hop and a skip through hashes we go,
One sha256 dances, a cryptographic show,
Routes take flight to the client-side light,
Base URLs bouncing—our galleries bright!

🚥 Pre-merge checks | ✅ 1
✅ Passed checks (1 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot requested changes Mar 8, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9a4db783-567b-4baf-af34-6723abccadd2

📥 Commits

Reviewing files that changed from the base of the PR and between 57c748f and f51aded.

📒 Files selected for processing (2)
  • config/secure-headers.php
  • resources/views/vueapp.blade.php

ildyria added a commit that referenced this pull request Mar 8, 2026
@ildyria
fix(csp): remove unsafe-eval requirement for Vue3 production builds
f6a1212 
- Switch from full Vue build (with compiler) to runtime-only build
- Runtime-only build doesn't require unsafe-eval CSP directive
- Update app initialization to pass root component to createApp()
- Explicitly disable unsafe-eval in DisableCSP middleware for production
- Development mode (with hot reload) continues to disable CSP entirely

The full Vue build includes template compiler which uses new Function()
internally, requiring unsafe-eval. Since we use pre-compiled .vue SFCs,
the runtime-only build is sufficient and more secure.

Closes #4158
@ildyria ildyria mentioned this pull request Mar 8, 2026
Merged
@ildyria ildyria merged commit 4e69750 into master Mar 8, 2026
45 checks passed
@ildyria ildyria deleted the fix-redirection-unsafe branch March 8, 2026 15:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ildyria