mirror of
https://github.com/juherr/kill-the-news.git
synced 2026-06-21 06:13:48 +00:00
feat: reader-rendering correctness + privacy hardening (P1·S batch)
Close the five open P1·S items from TODO.md: - X-Robots-Tag: noindex on rss/atom/entries/files + a /robots.txt - absolutize relative content URLs against the sender's site - promote lazy-loaded images (data-src → src, strip loading="lazy") - strip XML-illegal control chars from generated feeds (keep emoji) - plain-text feed <title> (strip HTML, decode entities) Sender-base derivation lives on the EmailAddress value object (siteBaseUrl) instead of a misplaced favicon helper. Bump to 0.2.1 and document the changes in README + CLAUDE.md. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Julien Herr
@@ -47,6 +47,11 @@ describe("Atom Feed Route", () => {
|
||||
const res = await testApp.request("/empty-feed", {}, mockEnv);
|
||||
expect(res.headers.get("Cache-Control")).toBe("max-age=1800");
|
||||
});
|
||||
|
||||
it("sets X-Robots-Tag: noindex", async () => {
|
||||
const res = await testApp.request("/empty-feed", {}, mockEnv);
|
||||
expect(res.headers.get("X-Robots-Tag")).toBe("noindex");
|
||||
});
|
||||
});
|
||||
|
||||
describe("valid feed with emails", () => {
|
||||
|
||||
@@ -40,6 +40,7 @@ export async function handle(c: Context<{ Bindings: Env }>): Promise<Response> {
|
||||
headers: {
|
||||
"Content-Type": "application/atom+xml",
|
||||
"Cache-Control": "max-age=1800",
|
||||
"X-Robots-Tag": "noindex",
|
||||
Link: linkHeader,
|
||||
},
|
||||
});
|
||||
|
||||
@@ -170,4 +170,11 @@ describe("GET /entries/:feedId/:entryId", () => {
|
||||
"default-src 'none'",
|
||||
);
|
||||
});
|
||||
|
||||
it("sets X-Robots-Tag: noindex", async () => {
|
||||
await seedFeed(env);
|
||||
const app = makeApp();
|
||||
const res = await app.request(`/${FEED_ID}/${RECEIVED_AT}`, {}, env as any);
|
||||
expect(res.headers.get("X-Robots-Tag")).toBe("noindex");
|
||||
});
|
||||
});
|
||||
|
||||
+10
-5
@@ -2,6 +2,7 @@ import { Context } from "hono";
|
||||
import { html, raw } from "hono/html";
|
||||
import { Env } from "../types";
|
||||
import { processEmailContent } from "../infrastructure/html-processor";
|
||||
import { EmailAddress } from "../domain/value-objects/email-address";
|
||||
import { formatBytes } from "../domain/format";
|
||||
import { FeedRepository } from "../infrastructure/feed-repository";
|
||||
import { FeedId } from "../domain/value-objects/feed-id";
|
||||
@@ -46,6 +47,14 @@ export async function handle(c: Context<{ Bindings: Env }>): Promise<Response> {
|
||||
"Content-Security-Policy",
|
||||
"default-src 'none'; style-src 'unsafe-inline'; img-src *; frame-src 'none'",
|
||||
);
|
||||
c.header("X-Robots-Tag", "noindex");
|
||||
|
||||
const bodyContent = processEmailContent(
|
||||
emailData.content,
|
||||
emailData.attachments,
|
||||
"",
|
||||
EmailAddress.parse(emailData.from)?.siteBaseUrl() ?? "",
|
||||
);
|
||||
|
||||
// Inline images render in place (cid: refs are rewritten by processEmailContent);
|
||||
// only genuine, downloadable attachments belong in the list below.
|
||||
@@ -92,11 +101,7 @@ export async function handle(c: Context<{ Bindings: Env }>): Promise<Response> {
|
||||
<dt>Date:</dt>
|
||||
<dd>${new Date(emailData.receivedAt).toUTCString()}</dd>
|
||||
</dl>
|
||||
<div class="content">
|
||||
${raw(
|
||||
processEmailContent(emailData.content, emailData.attachments),
|
||||
)}
|
||||
</div>
|
||||
<div class="content">${raw(bodyContent)}</div>
|
||||
${attachmentsSection}
|
||||
</body>
|
||||
</html>`,
|
||||
|
||||
@@ -72,6 +72,16 @@ describe("GET /files/:attachmentId/:filename", () => {
|
||||
);
|
||||
});
|
||||
|
||||
it("sets X-Robots-Tag: noindex", async () => {
|
||||
const content = new TextEncoder().encode("data").buffer as ArrayBuffer;
|
||||
await mockR2.put("robots-uuid", content, {
|
||||
httpMetadata: { contentType: "application/pdf" },
|
||||
});
|
||||
|
||||
const res = await request(envWithR2, "/files/robots-uuid/doc.pdf");
|
||||
expect(res.headers.get("X-Robots-Tag")).toBe("noindex");
|
||||
});
|
||||
|
||||
it("sets Content-Disposition from httpMetadata when present", async () => {
|
||||
const content = new TextEncoder().encode("data").buffer as ArrayBuffer;
|
||||
await mockR2.put("disp-uuid", content, {
|
||||
|
||||
@@ -25,6 +25,7 @@ export async function handle(c: Context<{ Bindings: Env }>): Promise<Response> {
|
||||
object.writeHttpMetadata(headers);
|
||||
headers.set("etag", object.httpEtag);
|
||||
headers.set("Cache-Control", "public, max-age=31536000, immutable");
|
||||
headers.set("X-Robots-Tag", "noindex");
|
||||
|
||||
if (!headers.get("Content-Disposition")) {
|
||||
headers.set(
|
||||
|
||||
@@ -0,0 +1,56 @@
|
||||
import { describe, it, expect, beforeEach } from "vitest";
|
||||
import { Hono } from "hono";
|
||||
import { handle } from "./rss";
|
||||
import { createMockEnv } from "../test/setup";
|
||||
import { Env } from "../types";
|
||||
|
||||
describe("RSS Feed Route", () => {
|
||||
let testApp: Hono;
|
||||
let mockEnv: Env;
|
||||
|
||||
beforeEach(() => {
|
||||
mockEnv = createMockEnv() as unknown as Env;
|
||||
testApp = new Hono();
|
||||
testApp.get("/:feedId", handle);
|
||||
});
|
||||
|
||||
describe("unknown feed", () => {
|
||||
it("returns 404 when no metadata exists in KV", async () => {
|
||||
const res = await testApp.request("/nonexistent-feed", {}, mockEnv);
|
||||
expect(res.status).toBe(404);
|
||||
expect(await res.text()).toBe("Feed not found");
|
||||
});
|
||||
});
|
||||
|
||||
describe("valid feed with no emails", () => {
|
||||
beforeEach(async () => {
|
||||
await mockEnv.EMAIL_STORAGE.put(
|
||||
"feed:empty-feed:metadata",
|
||||
JSON.stringify({ emails: [] }),
|
||||
);
|
||||
});
|
||||
|
||||
it("returns 200 with application/rss+xml content type", async () => {
|
||||
const res = await testApp.request("/empty-feed", {}, mockEnv);
|
||||
expect(res.status).toBe(200);
|
||||
expect(res.headers.get("Content-Type")).toContain("application/rss+xml");
|
||||
});
|
||||
|
||||
it("includes Cache-Control header", async () => {
|
||||
const res = await testApp.request("/empty-feed", {}, mockEnv);
|
||||
expect(res.headers.get("Cache-Control")).toBe("max-age=1800");
|
||||
});
|
||||
|
||||
it("sets X-Robots-Tag: noindex", async () => {
|
||||
const res = await testApp.request("/empty-feed", {}, mockEnv);
|
||||
expect(res.headers.get("X-Robots-Tag")).toBe("noindex");
|
||||
});
|
||||
|
||||
it("Link header advertises hub and self for WebSub discovery", async () => {
|
||||
const res = await testApp.request("/empty-feed", {}, mockEnv);
|
||||
const link = res.headers.get("Link") ?? "";
|
||||
expect(link).toContain(`rel="hub"`);
|
||||
expect(link).toContain(`rel="self"`);
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -40,6 +40,7 @@ export async function handle(c: Context<{ Bindings: Env }>): Promise<Response> {
|
||||
headers: {
|
||||
"Content-Type": "application/rss+xml",
|
||||
"Cache-Control": "max-age=1800",
|
||||
"X-Robots-Tag": "noindex",
|
||||
Link: linkHeader,
|
||||
},
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user