Security and Image handling updates from CNCF site code

Signed-off-by: Chris Abraham <[email protected]>
cncf · Nov 29, 2024 · 7744a45 · 7744a45
1 parent a115a6c
commit 7744a45
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 51 deletions.
diff --git a/composer.lock b/composer.lock
diff --git a/web/wp-content/mu-plugins/wp-mu-plugins/lf-mu/public/class-lf-mu-public.php b/web/wp-content/mu-plugins/wp-mu-plugins/lf-mu/public/class-lf-mu-public.php
@@ -219,6 +219,12 @@ function ( $headers ) {
 
 		// remove application passwords.
 		add_filter( 'wp_is_application_passwords_available', '__return_false' );
+
+		// Add strict-origin-when-cross-origin referrer policy.
+		add_action( 'wp_head', 'wp_strict_cross_origin_referrer' );
+
+		// Add X-Frame-Options SAMEORIGIN.
+		add_action( 'send_headers', 'send_frame_options_header', 10, 0 );
 	}
 
 	/**

diff --git a/web/wp-content/themes/cncf-twenty-two/classes/class-lf-utils.php b/web/wp-content/themes/cncf-twenty-two/classes/class-lf-utils.php
@@ -265,38 +265,57 @@ public static function display_responsive_images( $image_id, $image_size, $max_w
 			$alt_text = self::get_img_alt( $image_id );
 		}
 
-		if ( ! $image_srcset ) {
+		if ( $image_srcset ) {
+			$fetchpriority = ( 'eager' === $loading ) ? ' fetchpriority="high"' : '';
 
-			$width  = (int) $size[1] ?? '';
-			$height = (int) $size[2] ?? '';
-
-			$img           = '<img width="' . $width . '" height="' . $height . '" loading="' . $loading . '" class="' . $class_name . '"  src="' . $image_src . '" alt="' . $alt_text . '">';
-			$img_meta      = wp_get_attachment_metadata( $image_id );
-			$attachment_id = $image_id;
-			$html          = wp_image_add_srcset_and_sizes( $img, $img_meta, $attachment_id );
+			$html = '<img width="' . $size[1] . '" height="' . $size[2] . '" loading="' . $loading . '" decoding="async" class="' . $class_name . '" src="' . $image_src . '" srcset="' . $image_srcset . '" sizes="(max-width: ' . $max_width . ') 100vw, ' . $max_width . '"' . $fetchpriority . ' alt="' . $alt_text . '">';
 
 		} else {
+			$attributes = array(
+				'loading="' . $loading . '"',
+				'class="' . $class_name . '"',
+				'src="' . $image_src . '"',
+				'alt="' . $alt_text . '"',
+			);
+
+			if ( 'eager' === $loading ) {
+				$attributes[] = 'fetchpriority="high"';
+			}
 
-			$html = '<img width="' . $size[1] . '" height="' . $size[2] . '" loading="' . $loading . '" decoding="async" class="' . $class_name . '" src="' . $image_src . '" srcset="' . $image_srcset . '" sizes="(max-width: ' . $max_width . ') 100vw, ' . $max_width . '" alt="' . $alt_text . '">';
+			$width  = (int) $size[1] ?? null;
+			$height = (int) $size[2] ?? null;
 
+			if ( $width ) {
+				$attributes[] = 'width="' . $width . '"';
+			}
+
+			if ( $height ) {
+				$attributes[] = 'height="' . $height . '"';
+			}
+
+			$img           = '<img decoding="async" ' . implode( ' ', $attributes ) . '>';
+			$img_meta      = wp_get_attachment_metadata( $image_id );
+			$attachment_id = $image_id;
+			$html          = wp_image_add_srcset_and_sizes( $img, $img_meta, $attachment_id );
 		}
 
 		echo wp_kses(
 			$html,
 			array(
 				'img' => array(
-					'src'     => true,
-					'srcset'  => true,
-					'sizes'   => true,
-					'class'   => true,
-					'id'      => true,
-					'width'   => true,
-					'height'  => true,
-					'alt'     => true,
-					'align'   => true,
-					'style'   => true,
-					'media'   => true,
-					'loading' => true,
+					'src'      => true,
+					'srcset'   => true,
+					'sizes'    => true,
+					'class'    => true,
+					'id'       => true,
+					'width'    => true,
+					'height'   => true,
+					'alt'      => true,
+					'align'    => true,
+					'style'    => true,
+					'media'    => true,
+					'loading'  => true,
+					'decoding' => true,
 				),
 			)
 		);

diff --git a/web/wp-content/themes/cncf-twenty-two/components/header.php b/web/wp-content/themes/cncf-twenty-two/components/header.php
@@ -24,7 +24,7 @@
 		<?php if ( isset( $site_options['header_image_id'] ) && $site_options['header_image_id'] ) { ?>
 		<div class="logo">
 			<a href="/" title="<?php echo bloginfo( 'name' ); ?>">
-				<img loading="eager"
+				<img loading="eager" decoding="async" fetchpriority="high"
 					src="<?php echo esc_url( wp_get_attachment_url( $site_options['header_image_id'] ) ); ?>"
 					width="210" height="40"
 					alt="<?php echo bloginfo( 'name' ); ?>">

diff --git a/web/wp-content/themes/cncf-twenty-two/functions.php b/web/wp-content/themes/cncf-twenty-two/functions.php
@@ -190,19 +190,27 @@ function lf_update_styles_with_filemtime( $styles ) {
 add_action( 'wp_default_styles', 'lf_update_styles_with_filemtime' );
 
 /**
- * Removes the threshold of how many images should be excluded from lazy load.
- *
- * Introduced in WordPress 5.9
- *
- * @return int
+ * Adjusts the lazy load image threshold based on post type.
  */
-function lf_always_lazyload_images() {
-	return 0;
+function lf_lazyload_threshold_by_post_type() {
+	$thresholds = array(
+		'lf_case_study' => 1,
+		'lf_human'      => 1,
+		'lf_kubeweekly' => 0,
+		'lf_project'    => 1,
+		'lf_report'     => 1,
+		'lf_webinar'    => 0,
+		'page'          => 1,
+		'post'          => 0,
+	);
+
+	$post_type = get_post_type();
+	return isset( $thresholds[ $post_type ] ) ? $thresholds[ $post_type ] : 0;
 }
-add_filter( 'wp_omit_loading_attr_threshold', 'lf_always_lazyload_images', 10, 0 );
+add_filter( 'wp_omit_loading_attr_threshold', 'lf_lazyload_threshold_by_post_type', 10, 0 );
 
 /**
- * Disable OpenVerse from Media
+ * Disable OpenVerse from Media.
  *
  * @param array $settings Settings.
  */