From 9666d11d585073466051e0e5e133ef1d9f42380d Mon Sep 17 00:00:00 2001
From: Peter Hughes <github@phugh.es>
Date: Fri, 6 Sep 2024 11:42:03 +0100
Subject: [PATCH] brotli fix

---
 lib/middlewares/brotli.ts          | 2 +-
 lib/middlewares/securityheaders.ts | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/middlewares/brotli.ts b/lib/middlewares/brotli.ts
index 4cee00b..cd62d1c 100644
--- a/lib/middlewares/brotli.ts
+++ b/lib/middlewares/brotli.ts
@@ -6,7 +6,7 @@ export default async function brotliMiddleware(req: Request, ctx: FreshContext)
   const headers = resp.headers;
 
   // Skip compression for event streams
-  if (headers.get("Content-Type") === "text/event-stream") {
+  if (headers.get("Content-Type") === "text/event-stream" || headers.get("Content-Type")?.includes("javascript")) {
     return resp;
   }
 
diff --git a/lib/middlewares/securityheaders.ts b/lib/middlewares/securityheaders.ts
index 7985c3f..03513de 100644
--- a/lib/middlewares/securityheaders.ts
+++ b/lib/middlewares/securityheaders.ts
@@ -18,7 +18,7 @@ const SECURITY_HEADERS = {
   "Permissions-Policy":
     "accelerometer=(), camera=(), encrypted-media=(), gyroscope=(), interest-cohort=(), microphone=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), geolocation=()",
   "Content-Security-Policy":
-    "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none'; upgrade-insecure-requests; frame-ancestors 'none'; connect-src 'self' https://api.openai.com; media-src 'self' data: blob:; manifest-src 'self';",
+    "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none'; upgrade-insecure-requests; frame-ancestors 'none'; connect-src 'self' https://api.openai.com; media-src 'self' data: blob:; manifest-src 'self';",
   "Expect-CT": "max-age=86400, enforce",
 };
 
@@ -72,6 +72,9 @@ export default async function handler(req: Request, ctx: FreshContext) {
   const resp = await ctx.next();
   const headers = resp.headers;
   const path = new URL(req.url).pathname;
+  if (path.startsWith("/_frsh/")) {
+    return resp;
+  }
   setSecurityHeaders(headers, path);
   return resp;
 }