Always render `index.html`?
Closed this issue · 2 comments
With the currently recommended nginx.conf, /embed/index.html is served for nearly every possible request. For example:
For example:
- https://rejouer.perma.cc/foo/bar/baz
- https://rejouer.perma.cc/not-a-file.html
- https://rejouer.perma.cc/embed/index.js
I think that is probably fine, but might somewhat increase the amount of traffic seen by the server, if the could-have-been-404 requests are made by browsers that then proceed to request replay-web-page/ui.js and index.js as well.
I wonder if something like the following might be preferable:
# Serves contents of "/embed" as "/"
location / {
root /usr/share/nginx/html/embed;
# Intended CSP Policy:
# "Everything's allowed within the <iframe>, as long as it's same-origin."
add_header Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval';";
}
or
# Serves contents of "/embed" as "/"
location = / {
try_files /embed/index.html =404;
# Intended CSP Policy:
# "Everything's allowed within the <iframe>, as long as it's same-origin."
add_header Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval';";
}
location / {
try_files /embed$uri /embed/$uri/ =404;
}
🤷♀️
This makes a lot of sense @rebeccacremona -- We should do that 😄 .
The idea of keeping this loose was to make embedding easier (as in: you could make a mistake in your embedding code and it would still work), but tightening it to avoid wasting resources is compelling.
Ah, cool @matteocargnelutti! That makes sense. No strong opinions here! I just figured since I noticed the other 404 thing, I might mention it, in case this wasn't intended 🙂 .