CORS/CSP hardening & centralization

- Add reusable Nginx include: roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2 (dynamic ACAO/credentials/methods/headers via role vars) - Set global 'Vary: Origin' in nginx.conf.j2 to prevent cache poisoning - CSP: allow Simple Icons via connect-src when feature is enabled - Front proxy: rename vars to lowercase + flush handlers after config deploy - Desktop: gate & load Simple Icons role; inject brand logos when enabled - Bluesky + Logout: replace inline CORS with centralized include - Simpleicons: public CORS (ACAO='*', no credentials), keep GET/OPTIONS, allow headers - Taiga: adjust canonical domain to taiga.kanban.{{ PRIMARY_DOMAIN }} - LibreTranslate: remove unused images/versions keys Fixes: https://open.project.infinito.nexus/projects/cymais/work_packages/342/activity Discussion: https://chatgpt.com/share/68da5e27-ffd4-800f-91a3-0ef103058d44
2025-10-10 10:48:10 +02:00 · 2025-09-29 12:23:58 +02:00
parent c06d1c4d17
commit aa19a97ed6
15 changed files with 89 additions and 48 deletions
--- a/roles/web-app-desktop/tasks/01_core.yml
+++ b/roles/web-app-desktop/tasks/01_core.yml
@@ -1,3 +1,12 @@
+- name: "Load brand logos role for '{{ application_id }}'"
+  include_role:
+    name: web-svc-simpleicons
+  vars:
+    flush_handlers: true
+  when:
+    - run_once_web_svc_simpleicons is not defined
+    - DESKTOP_SIMPLEICONS_ENABLED | bool
+
 - name: "Validate configuration"
  include_tasks: "02_validate.yml"
  when: MODE_ASSERT | bool
@@ -24,25 +33,16 @@
  set_fact:
    portfolio_cards: "{{ lookup('docker_cards', 'roles') }}"

- name: "Load images for applications feature simpleicons is enabled "
+- name: "Load Desktop Brand logos"
  set_fact:
    portfolio_cards: "{{ portfolio_cards | add_simpleicon_source(domains, WEB_PROTOCOL) }}"
-  when:
-    - (applications | get_app_conf(application_id, 'features.simpleicons', False))
+  when: DESKTOP_SIMPLEICONS_ENABLED | bool
+  changed_when: false

 - name: Group docker cards
  set_fact:
    portfolio_menu_data: "{{ lookup('docker_cards_grouped', portfolio_cards, portfolio_menu_categories) }}"

- name: Debug portfolio data
-  debug:
-    msg:
-      portfolio_cards:            "{{ portfolio_cards }}"
-      portfolio_menu_categories:  "{{ portfolio_menu_categories}}"
-      portfolio_menu_data:        "{{ portfolio_menu_data }}"
-      service_provider:           "{{ service_provider }}"
-  when: MODE_DEBUG | bool
-
 - name: Copy host-specific config.yaml if it exists
  template:
    src: "{{ DESKTOP_CONFIG_INV_PATH }}"