From c0e0e2401ec40079f4b80a974b53e56ec8fb5b2d Mon Sep 17 00:00:00 2001 From: Thomas Kaul <4159106+dtslvr@users.noreply.github.com> Date: Sat, 24 Jun 2023 18:25:44 +0200 Subject: [PATCH 1/3] Release 1.283.3 (#2100) --- CHANGELOG.md | 2 +- apps/api/src/main.ts | 2 +- package.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6a2e498a1..0c41d7ae5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## 1.283.2 - 2023-06-24 +## 1.283.3 - 2023-06-24 ### Added diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts index 83e97069e..4a4d9848f 100644 --- a/apps/api/src/main.ts +++ b/apps/api/src/main.ts @@ -39,7 +39,7 @@ async function bootstrap() { helmet({ contentSecurityPolicy: { directives: { - scriptSrc: ["'self'", "'unsafe-inline'"], // Allow inline scripts + scriptSrc: ["'self'", "'unsafe-inline'", 'https://js.stripe.com'], // Allow inline scripts scriptSrcAttr: ["'self'", "'unsafe-inline'"], // Allow inline event handlers styleSrc: ["'self'", "'unsafe-inline'"] // Allow inline styles } diff --git a/package.json b/package.json index 8d0a952be..8d0578247 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "ghostfolio", - "version": "1.283.2", + "version": "1.283.3", "homepage": "https://ghostfol.io", "license": "AGPL-3.0", "scripts": { From 2ecc8dbc4e531d5a6a4d3585ca6bc8ba1a390f9c Mon Sep 17 00:00:00 2001 From: Thomas Kaul <4159106+dtslvr@users.noreply.github.com> Date: Sat, 24 Jun 2023 18:41:37 +0200 Subject: [PATCH 2/3] Release 1.283.4 (#2101) --- CHANGELOG.md | 2 +- apps/api/src/main.ts | 3 ++- package.json | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c41d7ae5..b7f26636d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## 1.283.3 - 2023-06-24 +## 1.283.4 - 2023-06-24 ### Added diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts index 4a4d9848f..ee3cc8534 100644 --- a/apps/api/src/main.ts +++ b/apps/api/src/main.ts @@ -39,7 +39,8 @@ async function bootstrap() { helmet({ contentSecurityPolicy: { directives: { - scriptSrc: ["'self'", "'unsafe-inline'", 'https://js.stripe.com'], // Allow inline scripts + frameSrc: ["'self'", 'https://js.stripe.com'], // Allow loading frames from Stripe + scriptSrc: ["'self'", "'unsafe-inline'", 'https://js.stripe.com'], // Allow inline scripts and scripts from Stripe scriptSrcAttr: ["'self'", "'unsafe-inline'"], // Allow inline event handlers styleSrc: ["'self'", "'unsafe-inline'"] // Allow inline styles } diff --git a/package.json b/package.json index 8d0578247..dee222aa6 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "ghostfolio", - "version": "1.283.3", + "version": "1.283.4", "homepage": "https://ghostfol.io", "license": "AGPL-3.0", "scripts": { From 51ca26bb4d06b02ef187b08c552454be7b94a3ac Mon Sep 17 00:00:00 2001 From: Thomas Kaul <4159106+dtslvr@users.noreply.github.com> Date: Sun, 25 Jun 2023 13:39:39 +0200 Subject: [PATCH 3/3] Release 1.283.5 (#2103) --- CHANGELOG.md | 2 +- apps/api/src/main.ts | 24 +++++++++++++----------- package.json | 2 +- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7f26636d..77bef7847 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## 1.283.4 - 2023-06-24 +## 1.283.5 - 2023-06-25 ### Added diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts index ee3cc8534..33fd40a30 100644 --- a/apps/api/src/main.ts +++ b/apps/api/src/main.ts @@ -35,18 +35,20 @@ async function bootstrap() { // Support 10mb csv/json files for importing activities app.use(bodyParser.json({ limit: '10mb' })); - app.use( - helmet({ - contentSecurityPolicy: { - directives: { - frameSrc: ["'self'", 'https://js.stripe.com'], // Allow loading frames from Stripe - scriptSrc: ["'self'", "'unsafe-inline'", 'https://js.stripe.com'], // Allow inline scripts and scripts from Stripe - scriptSrcAttr: ["'self'", "'unsafe-inline'"], // Allow inline event handlers - styleSrc: ["'self'", "'unsafe-inline'"] // Allow inline styles + if (configService.get('ENABLE_FEATURE_SUBSCRIPTION') === 'true') { + app.use( + helmet({ + contentSecurityPolicy: { + directives: { + frameSrc: ["'self'", 'https://js.stripe.com'], // Allow loading frames from Stripe + scriptSrc: ["'self'", "'unsafe-inline'", 'https://js.stripe.com'], // Allow inline scripts and scripts from Stripe + scriptSrcAttr: ["'self'", "'unsafe-inline'"], // Allow inline event handlers + styleSrc: ["'self'", "'unsafe-inline'"] // Allow inline styles + } } - } - }) - ); + }) + ); + } const BASE_CURRENCY = configService.get('BASE_CURRENCY'); const HOST = configService.get('HOST') || '0.0.0.0'; diff --git a/package.json b/package.json index dee222aa6..3953a1060 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "ghostfolio", - "version": "1.283.4", + "version": "1.283.5", "homepage": "https://ghostfol.io", "license": "AGPL-3.0", "scripts": {