From bd226d50ffc479ee75f8af32da0b9d95a5571906 Mon Sep 17 00:00:00 2001 From: LAX1DUDE Date: Tue, 5 Jul 2022 17:40:06 -0700 Subject: [PATCH 1/4] Update origin_blacklist.txt --- stable-download/origin_blacklist.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/stable-download/origin_blacklist.txt b/stable-download/origin_blacklist.txt index 2afc396..bf5cfc1 100644 --- a/stable-download/origin_blacklist.txt +++ b/stable-download/origin_blacklist.txt @@ -22,6 +22,7 @@ .*gitpod\.io$ .*gsucks\.repl\.co$ .*builders.tools\.tk$ +.*bootyy\.flapx\..*$ # replit-wildcard: .*repl(it)?\..{1,5}$ From a8d5c856de28ba2a263abc055d7b26d50dc2bf7e Mon Sep 17 00:00:00 2001 From: LAX1DUDE Date: Tue, 5 Jul 2022 18:11:24 -0700 Subject: [PATCH 2/4] Update origin_blacklist.txt --- stable-download/origin_blacklist.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable-download/origin_blacklist.txt b/stable-download/origin_blacklist.txt index bf5cfc1..66130c8 100644 --- a/stable-download/origin_blacklist.txt +++ b/stable-download/origin_blacklist.txt @@ -22,7 +22,7 @@ .*gitpod\.io$ .*gsucks\.repl\.co$ .*builders.tools\.tk$ -.*bootyy\.flapx\..*$ +.*lapx\..*$ # replit-wildcard: .*repl(it)?\..{1,5}$ From f0fd21874e95cbd767a5bfcdbd85931e96377bb7 Mon Sep 17 00:00:00 2001 From: LAX1DUDE Date: Wed, 6 Jul 2022 22:41:41 -0700 Subject: [PATCH 3/4] block ambiguous (*.eags.us, *.lax1dude.net) official-looking domains --- stable-download/origin_blacklist.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/stable-download/origin_blacklist.txt b/stable-download/origin_blacklist.txt index 66130c8..c62ec48 100644 --- a/stable-download/origin_blacklist.txt +++ b/stable-download/origin_blacklist.txt @@ -24,6 +24,10 @@ .*builders.tools\.tk$ .*lapx\..*$ +# block ambiguous domains (excuse the regex skill issues) +^(?!g\.eags\.us).*eags\.us$ +^(?!g\.lax1dude\.net).*lax1dude\.net$ + # replit-wildcard: .*repl(it)?\..{1,5}$ # snitch other domains out at https://g.eags.us/eaglercraft/report.html From fff039e79bd38b704cc42a945756fa94daf2f3b7 Mon Sep 17 00:00:00 2001 From: LAX1DUDE Date: Wed, 6 Jul 2022 22:49:53 -0700 Subject: [PATCH 4/4] Update README.md --- README.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f5f6708..e93f228 100644 --- a/README.md +++ b/README.md @@ -148,7 +148,18 @@ origin_blacklist_simple_whitelist: origin_blacklist_block_offline_download: true ``` -**To use IP bans and rate limiting, enable** `forward_ip` **and pass a X-Real-IP header from your proxy to the bungeecord's websocket port** +### To stop people from using bookmarklets to load a client from a different URL onto your official URL via XXS, add these headers to NGINX: + +``` +add_header X-Frame-Options "SAMEORIGIN"; +add_header Referrer-Policy "strict-origin"; +add_header X-XSS-Protection "1; mode=block"; +add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' 'unsafe-inline' data: blob:; connect-src 'self' ws: wss:; upgrade-insecure-requests"; +``` + +(not fully tested, excuse the scroll bar) + +### To use IP bans and rate limiting, enable `forward_ip` and pass a X-Real-IP header from your proxy to the bungeecord's websocket port Nginx example: add `proxy_set_header X-Real-IP $remote_addr` to your proxy configuration