-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Feat/customcss status page #3723
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
ajhollid
merged 12 commits into
bluewave-labs:develop
from
Buco7854:feat/customcss-status-page
Jul 2, 2026
Merged
Changes from all commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
73f95ac
feat: complete custom CSS support for status pages
Buco7854 0f4240d
feat: cap custom CSS length and add validation tests
Buco7854 25d8839
feat: render admin status page preview in an iframe
Buco7854 69e142f
fix: restrict status page mutations to admins and superadmins
Buco7854 6165ae6
Merge branch 'develop' of https://github.com/bluewave-labs/checkmate …
Buco7854 3685e0c
feat: reject custom CSS that references external resources
Buco7854 96021b7
refactor: detect external CSS references with the CSS Syntax tokenizer
Buco7854 ffbf223
feat: tighten CSP on the public status page document
Buco7854 a4cc322
feat: apply status page CSP to custom domains
Buco7854 ea23610
fix: mirror server custom CSS validation on the client
Buco7854 52b95ad
fix: keep the admin status page preview iframe same-origin
Buco7854 969d24e
Merge branch 'develop' into feat/customcss-status-page
Buco7854 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| import { isTokenString, isTokenURL, tokenize } from "@csstools/css-tokenizer"; | ||
|
|
||
| // Mirrors the server check (server/src/utils/customCss.ts) so the form rejects | ||
| // the same CSS the API would. | ||
| const EXTERNAL_TARGET = /^\s*(?:https?:|\/\/)/i; | ||
|
|
||
| export const cssReferencesExternalResource = (css?: string | null): boolean => { | ||
| if (typeof css !== "string" || css === "") { | ||
| return false; | ||
| } | ||
|
|
||
| return tokenize({ css }).some( | ||
| (token) => | ||
| (isTokenURL(token) || isTokenString(token)) && EXTERNAL_TARGET.test(token[4].value) | ||
| ); | ||
| }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| import type { NextFunction, Request, Response } from "express"; | ||
| import { normalizeStatusPageDomain } from "@/utils/statusPageDomain.js"; | ||
|
|
||
| const PUBLIC_STATUS_PAGE_DOCUMENT_PREFIX = "/status/public"; | ||
|
Buco7854 marked this conversation as resolved.
|
||
|
|
||
| // Browsers enforce the intersection of all CSP headers, so this only tightens | ||
| // the status page on top of the global helmet policy, blocking external images, | ||
| // fonts, and stylesheets from custom CSS while keeping the app's Google Fonts. | ||
| const STATUS_PAGE_CSP = [ | ||
| "img-src 'self' data:", | ||
| "font-src 'self' data: https://fonts.gstatic.com", | ||
| "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com", | ||
| ].join("; "); | ||
|
|
||
| // A status page document is served on the public path or on a custom domain | ||
| // (any host other than the app's own). Mirrors the client isCustomDomainHost. | ||
| export const createStatusPageDocumentCsp = (clientHost: string) => { | ||
| const appHostname = normalizeStatusPageDomain(clientHost); | ||
|
|
||
| return (req: Request, res: Response, next: NextFunction) => { | ||
| const onCustomDomain = appHostname !== null && normalizeStatusPageDomain(req.hostname) !== appHostname; | ||
| if (req.path.startsWith(PUBLIC_STATUS_PAGE_DOCUMENT_PREFIX) || onCustomDomain) { | ||
| res.append("Content-Security-Policy", STATUS_PAGE_CSP); | ||
| } | ||
| return next(); | ||
| }; | ||
| }; | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.