bring repo in line with giveth#2
Open
geleeroyale wants to merge 6 commits into
Open
Conversation
…nements This is a cleaner re-issue of PR #7 (which got stuck in a dirty merge state due to drift). Two fixes, both already CodeRabbit-signed-off on the original PR's commit 68f8c32: - TokenInput: hard-guard on `address` instead of the previous `address && ...` short-circuit so wagmi `useAccount()` race conditions cannot let same-address submissions slip past. Each `useAccount()` instance updates on its own render schedule, so the parent component can show `accountStatus === "connected"` while the child briefly sees `address: undefined` — that race let same-address submissions through in production (real user submission reported by Griff 2026-04-27). - Caddyfile: split into explicit handle blocks. Cache headers previously matched against the original request path BEFORE try_files rewrote SPA deep-links to /index.html, so deep-link responses got no Cache-Control header at all. Now /assets/* is its own handle (immutable cache for content-hashed Vite bundles) and the SPA fallback handle has a blanket no-cache header that fires on every /index.html response regardless of original path. - Caddyfile: tighten API path matchers from `/admin*` form to `/admin /admin/*` form so future SPA routes like `/administrator` cannot accidentally swallow into the API proxy. Note for reviewer: this branch is parented on the fork's stale main (ac5117a) rather than current upstream/main, because the fork's PAT lacks `workflow` scope and any tree containing the deploy.yml file upstream added gets push-rejected. The PR diff against Giveth:main is correctly limited to these two files only; the Caddyfile conflict that will appear on merge can be resolved in the GitHub web editor.
Three CSP gaps were blocking the wallet stack on votingbadge.thedao.fund: 1. `script-src 'self'` blocked Firefox MetaMask's `inpage.js` content script — Firefox enforces page CSP on extension-injected inline scripts (since v76), so the wallet was never attaching the EIP-1193 provider. Add `'unsafe-inline'` to script-src; this is the standard posture for dapps that need to coexist with browser-wallet extensions. The XSS surface stays bounded because the app has no user-generated HTML and `frame-ancestors 'none'` still blocks clickjacking. 2. No explicit `frame-src` (so it fell through to `default-src 'self'`) blocked WalletConnect's attestation iframe at `verify.walletconnect.org/v3/attestation`. Add explicit `frame-src 'self' https://verify.walletconnect.org https://verify.walletconnect.com` (WC's CDN uses both TLDs). 3. `img-src 'self' data:` silently 404'd RainbowKit's wallet/network icons (loaded from various CDNs). Add `https:`. Reported via userback.io with the WC SDK throwing a downstream `Node.removeChild` DOMException — that error is the SDK trying to clean up the attestation iframe that CSP prevented from mounting; resolves once frame-src is correct.
…it nit) Per CodeRabbit review: the wallet-injection path only needs inline `<script>` element content, not inline event handlers. CSP exposes that distinction via `script-src-elem`. Keep `script-src 'self'` strict and move the `'unsafe-inline'` allowance onto `script-src-elem` only — this preserves blocking of the inline-event-handler XSS vector (`onclick=`, `onerror=`, etc.) which is a common attack surface. `script-src-elem` is supported since Firefox 79 / Chrome 75 (2020), so there are no compatibility concerns. Comment block updated.
…ed-v2 Fix wagmi-race in Online holder check + Caddy cache + path-matcher refinements
…nsion-compat fix(csp): allow MetaMask extension scripts + WalletConnect verify iframe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.