Fix CSP enforcement, missing PWA icons, and dead og:url

- Add CSP meta tag to index.html since GitHub Pages does not serve custom headers from _headers files. Includes 'unsafe-inline' for the theme-flash-prevention script. - Add note to _headers explaining the GitHub Pages limitation. - Also fix script-src in _headers to include 'unsafe-inline' to match the inline theme script that runs before React hydrates. - Generate android-chrome-192x192.png and android-chrome-512x512.png from apple-touch-icon.png. These were referenced in site.webmanifest but missing, causing 404s on PWA installs. - Update og:url from contribute.btcpayserver.org (domain has no DNS records) to pavle.org (the actual live domain).
2026-03-13 02:58:49 +00:00 · 2026-03-13 02:58:49 +00:00 · 0ae4ff80fb
commit 0ae4ff80fb
parent d18be53af7
4 changed files with 9 additions and 2 deletions
--- a/index.html
+++ b/index.html
@ -10,13 +10,16 @@
    <meta property="og:title" content="BTCPay Contribute" />
    <meta property="og:description" content="Find good first issues across all BTCPay Server projects, filtered by your skills." />
    <meta property="og:type" content="website" />
-    <meta property="og:url" content="https://contribute.btcpayserver.org" />
+    <meta property="og:url" content="https://pavle.org" />

    <!-- Twitter Card -->
    <meta name="twitter:card" content="summary" />
    <meta name="twitter:title" content="BTCPay Contribute" />
    <meta name="twitter:description" content="Find good first issues across all BTCPay Server projects." />

+    <!-- CSP — GitHub Pages ignores _headers, so enforce via meta tag -->
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://avatars.githubusercontent.com https://img.youtube.com; connect-src 'self'; frame-src https://www.youtube.com" />
+
    <!-- Favicon -->
    <meta name="theme-color" content="#51b13e" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
--- a/public/_headers
+++ b/public/_headers
@ -1,5 +1,9 @@
+# NOTE: GitHub Pages does not serve custom headers from this file.
+# These headers only take effect on hosts that support _headers
+# (Cloudflare Pages, Netlify). A CSP meta tag in index.html provides
+# baseline protection regardless of hosting platform.
 /*
-  Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://avatars.githubusercontent.com https://img.youtube.com; connect-src 'self'; frame-src https://www.youtube.com; frame-ancestors 'none'
+  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://avatars.githubusercontent.com https://img.youtube.com; connect-src 'self'; frame-src https://www.youtube.com; frame-ancestors 'none'
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
--- a/public/android-chrome-192x192.png
+++ b/public/android-chrome-192x192.png
--- a/public/android-chrome-512x512.png
+++ b/public/android-chrome-512x512.png