$value ) { // Skip these on live sites (both production and staging), // where they are managed by puppet. // Local testing with a fresh database does not // currently work if these are skipped. if ( JQUERY_STAGING !== 'local' ) { if ( $option === 'stylesheet' || $option === 'template' ) { // Don't mess with themes for now. continue; } if ( $option === 'active_plugins' ) { // On live sites (including staging ones), // Puppet manages activation of per-site plugins. continue; } } add_filter( 'pre_option_' . $option, function () use ( $value ) { return $value; } ); } unset( $sites, $options, $option ); // Ensure that the local port is used for template assets, if it exists. add_filter( 'theme_root_uri', function( $value ) { // All environment variables are set either in the local wp-config.php or via puppet. // Staging sites set JQUERY_STAGING to the boolean `true` instead of 'local'. // Production sites set it to false. if ( JQUERY_STAGING === 'local' ) { // Don't specify http vs https here, as the site may be accessed via either. $siteurl = '//' . strtr( JQUERY_STAGING_FORMAT, [ '%s' => JQUERY_LIVE_SITE ] ); $value = $siteurl . '/wp-content/themes'; } return $value; }); // Remove misc links from on non-blog sites if ( !get_option( 'jquery_is_blog' ) ) { remove_action( 'wp_head', 'feed_links', 2 ); remove_action( 'wp_head', 'feed_links_extra', 3 ); remove_action( 'wp_head', 'rsd_link' ); remove_action( 'wp_head', 'wlwmanifest_link' ); remove_action( 'wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0 ); // Remove shortlink and header. remove_action( 'wp_head', 'wp_shortlink_wp_head', 10 ); remove_action( 'template_redirect', 'wp_shortlink_header', 11 ); // Disable WordPress auto-paragraphing for posts, except on actual blog sites remove_filter( 'the_content', 'wpautop' ); add_filter( 'option_uploads_use_yearmonth_folders', '__return_false' ); add_filter( 'upload_dir', function( $upload_dir ) { if ( defined( 'UPLOADS' ) ) { $upload_dir['path'] = $upload_dir['basedir'] = UPLOADS; } else { $upload_dir['path'] = $upload_dir['basedir'] = WP_CONTENT_DIR . '/uploads'; } return $upload_dir; }); } /** * Content Security Policy * https://github.com/jquery/infrastructure-puppet/issues/54 */ add_action( 'send_headers', function() { $nonce = bin2hex( random_bytes( 8 ) ); $report_url = 'https://csp-report-api.openjs-foundation.workers.dev/'; $policy = array( 'default-src' => "'self'", // The nonce is here so inline scripts can be used in the theme 'script-src' => "'self' 'nonce-$nonce' code.jquery.com", 'style-src' => "'self' 'nonce-$nonce' code.jquery.com", // Allow style="" attributes in blog posts and markdown. 'style-src-attr' => "'unsafe-inline'", // data: SVG images are used in typesense // Allow gravatars in wordpress admins 'img-src' => "'self' data: secure.gravatar.com code.jquery.com", 'connect-src' => "'self' typesense.jquery.com", // Allow data fonts for the wordpress admins 'font-src' => "'self' data:", 'object-src' => "'none'", 'frame-ancestors' => "'none'", 'base-uri' => "'self'", 'block-all-mixed-content' => '', 'report-to' => 'csp-endpoint', // Add report-uri for Firefox, which // does not yet support report-to 'report-uri' => $report_url, ); $policy = apply_filters( 'jq_content_security_policy', $policy ); if ( get_option( 'jquery_is_blog' ) ) { // Allow