From: Claire Date: Wed, 26 Jan 2022 21:32:21 +0000 (+0100) Subject: Merge branch 'main' into glitch-soc/merge-upstream X-Git-Url: https://git.xn--scling-oua.cat.family/?a=commitdiff_plain;h=ad6ddb9bdd3ceae3f9d5dde7b351081f0dfa2a9a;p=mastodon.git Merge branch 'main' into glitch-soc/merge-upstream Conflicts: - `config/environments/production.rb`: Upstream changed a header but we had different default headers. Applied the same change, and also dropped HSTS headers redundant with Rails'. --- ad6ddb9bdd3ceae3f9d5dde7b351081f0dfa2a9a diff --cc Gemfile index 67c50d19f,9baefcf74..bcda409a9 --- a/Gemfile +++ b/Gemfile @@@ -96,13 -96,11 +96,13 @@@ gem 'webpush', '~> 0.3 gem 'webauthn', '~> 3.0.0.alpha1' gem 'json-ld' - gem 'json-ld-preloaded', '~> 3.1' + gem 'json-ld-preloaded', '~> 3.2' gem 'rdf-normalize', '~> 0.4' +gem 'redcarpet', '~> 3.5' + group :development, :test do - gem 'fabrication', '~> 2.23' + gem 'fabrication', '~> 2.24' gem 'fuubar', '~> 2.5' gem 'i18n-tasks', '~> 0.9', require: false gem 'pry-byebug', '~> 3.9' diff --cc config/environments/production.rb index b72d1b342,7fe381040..ce3c41799 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@@ -115,14 -115,11 +115,13 @@@ Rails.application.configure d config.action_mailer.delivery_method = ENV.fetch('SMTP_DELIVERY_METHOD', 'smtp').to_sym config.action_dispatch.default_headers = { - 'Server' => 'Mastodon', - 'X-Frame-Options' => 'DENY', - 'X-Content-Type-Options' => 'nosniff', - 'X-XSS-Protection' => '0', - 'Permissions-Policy' => 'interest-cohort=()', + 'Server' => 'Mastodon', + 'X-Frame-Options' => 'DENY', + 'X-Content-Type-Options' => 'nosniff', - 'X-XSS-Protection' => '1; mode=block', ++ 'X-XSS-Protection' => '0', + 'Permissions-Policy' => 'interest-cohort=()', + 'Referrer-Policy' => 'same-origin', - 'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload', + 'X-Clacks-Overhead' => 'GNU Natalie Nguyen' } config.x.otp_secret = ENV.fetch('OTP_SECRET')