Skip to content

Commit 2da6144

Browse files
Fix CSP for Astro islands and navbar background
Astro emits inline <script type="module"> bootstrap blocks for each client:* directive (trailer audio button, council preview button). The strict script-src 'self' CSP blocked them, so islands never hydrated and audio buttons did nothing. Adding 'unsafe-inline' to script-src is the time-pressure unblock; a proper Astro CSP integration that auto-hashes inline scripts is a follow-up. Navbar background: .pub-navbar in public-layout.css only sets sticky positioning, no background or blur. The sticky bar showed through to page content on scroll, leaving nav links overlapping prose. Same cosmic blue + blur as .pub-cta--sticky for visual consistency, added as a scoped is:global block in marketing/src/components/Navbar.astro so the frozen public-layout.css stays untouched. Both fixes are already live on production via wrangler direct deploy (d6c829a5.agora-cosmica.pages.dev). This commit brings GitHub in sync so CF Pages auto-builds and GitHub Actions CI rebuild against matching source.
1 parent 723a96e commit 2da6144

2 files changed

Lines changed: 13 additions & 1 deletion

File tree

client/public/_headers

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
Referrer-Policy: strict-origin-when-cross-origin
66
Permissions-Policy: camera=(), microphone=(self), geolocation=()
77
Strict-Transport-Security: max-age=31536000; includeSubDomains
8-
Content-Security-Policy: default-src 'self'; script-src 'self' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.agoracosmica.org; font-src 'self'; connect-src 'self' blob: https://openrouter.ai https://*.agoracosmica.org wss://*.agoracosmica.org; media-src 'self' blob: https://*.agoracosmica.org; frame-src https://challenges.cloudflare.com; worker-src 'self' blob:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'
8+
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.agoracosmica.org; font-src 'self'; connect-src 'self' blob: https://openrouter.ai https://*.agoracosmica.org wss://*.agoracosmica.org; media-src 'self' blob: https://*.agoracosmica.org; frame-src https://challenges.cloudflare.com; worker-src 'self' blob:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'
99

1010
# Immutable cache for hashed assets (Vite adds content hash to filenames)
1111
/assets/*

marketing/src/components/Navbar.astro

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,3 +71,15 @@ const isActive = (path: string) => currentPath === path || currentPath === path.
7171
</button>
7272
</div>
7373
</header>
74+
75+
<style is:global>
76+
/* Bug fix: .pub-navbar had no background in public-layout.css, so the
77+
sticky bar showed through to page content on scroll. Same cosmic blue
78+
+ blur as .pub-cta--sticky for visual consistency. */
79+
.pub-navbar {
80+
background: color-mix(in srgb, var(--bg-deep-space, #0C1133) 92%, transparent);
81+
backdrop-filter: blur(12px);
82+
-webkit-backdrop-filter: blur(12px);
83+
border-bottom: 1px solid color-mix(in srgb, var(--gold-primary) 16%, transparent);
84+
}
85+
</style>

0 commit comments

Comments
 (0)