From b97c2de9309ba7444a602a587d9ec61ed01edabe Mon Sep 17 00:00:00 2001 From: Ivan Vakulov Date: Tue, 17 Dec 2024 22:54:50 +0200 Subject: [PATCH 1/3] Enhance header filtering in getHeadersApplicableToAllResources function to exclude falsy values --- src/utils/headers.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/src/utils/headers.ts b/src/utils/headers.ts index c04984ea..92c74581 100644 --- a/src/utils/headers.ts +++ b/src/utils/headers.ts @@ -177,6 +177,7 @@ export function getHeadersApplicableToAllResources(headers: SecurityHeaders) { Object.entries(headers) .filter(([key]) => appliesToAllResources(key as OptionKey)) .map(([key, value]) => ([getNameFromKey(key as OptionKey), headerStringFromObject(key as OptionKey, value)])) + .filter(([_, value]) => Boolean(value)) ) return Object.keys(applicableHeaders).length === 0 ? undefined : applicableHeaders } From 77b48d36dbba09d7eb2de208cf21c08236d7670d Mon Sep 17 00:00:00 2001 From: Ivan Vakulov Date: Thu, 19 Dec 2024 11:10:21 +0200 Subject: [PATCH 2/3] Update src/utils/headers.ts Co-authored-by: vejja --- src/utils/headers.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/utils/headers.ts b/src/utils/headers.ts index 92c74581..2af9c0cd 100644 --- a/src/utils/headers.ts +++ b/src/utils/headers.ts @@ -177,7 +177,7 @@ export function getHeadersApplicableToAllResources(headers: SecurityHeaders) { Object.entries(headers) .filter(([key]) => appliesToAllResources(key as OptionKey)) .map(([key, value]) => ([getNameFromKey(key as OptionKey), headerStringFromObject(key as OptionKey, value)])) - .filter(([_, value]) => Boolean(value)) + .filter(([, value]) => Boolean(value)) ) return Object.keys(applicableHeaders).length === 0 ? undefined : applicableHeaders } From d0dc70f175f282e7147cabddaa308539e6037b00 Mon Sep 17 00:00:00 2001 From: Ivan Vakulov Date: Thu, 19 Dec 2024 21:41:05 +0200 Subject: [PATCH 3/3] Add public assets test suite and configuration for security headers --- test/fixtures/publicAssets/.nuxtrc | 1 + test/fixtures/publicAssets/app.vue | 5 ++ test/fixtures/publicAssets/nuxt.config.ts | 42 ++++++++++++++ test/fixtures/publicAssets/package.json | 5 ++ test/fixtures/publicAssets/pages/index.vue | 3 + test/fixtures/publicAssets/public/icon.png | Bin 0 -> 15969 bytes .../publicAssets/public/test/icon.png | Bin 0 -> 15969 bytes test/publicAssets.test.ts | 53 ++++++++++++++++++ 8 files changed, 109 insertions(+) create mode 100644 test/fixtures/publicAssets/.nuxtrc create mode 100644 test/fixtures/publicAssets/app.vue create mode 100644 test/fixtures/publicAssets/nuxt.config.ts create mode 100644 test/fixtures/publicAssets/package.json create mode 100644 test/fixtures/publicAssets/pages/index.vue create mode 100644 test/fixtures/publicAssets/public/icon.png create mode 100644 test/fixtures/publicAssets/public/test/icon.png create mode 100644 test/publicAssets.test.ts diff --git a/test/fixtures/publicAssets/.nuxtrc b/test/fixtures/publicAssets/.nuxtrc new file mode 100644 index 00000000..3c8c6a11 --- /dev/null +++ b/test/fixtures/publicAssets/.nuxtrc @@ -0,0 +1 @@ +imports.autoImport=true \ No newline at end of file diff --git a/test/fixtures/publicAssets/app.vue b/test/fixtures/publicAssets/app.vue new file mode 100644 index 00000000..2b1be090 --- /dev/null +++ b/test/fixtures/publicAssets/app.vue @@ -0,0 +1,5 @@ + diff --git a/test/fixtures/publicAssets/nuxt.config.ts b/test/fixtures/publicAssets/nuxt.config.ts new file mode 100644 index 00000000..0271bed5 --- /dev/null +++ b/test/fixtures/publicAssets/nuxt.config.ts @@ -0,0 +1,42 @@ +export default defineNuxtConfig({ + modules: [ + '../../../src/module' + ], + routeRules: { + '/test/**': { + security: { + headers: { + referrerPolicy: 'no-referrer', + strictTransportSecurity: { + maxAge: 15552000, + includeSubdomains: true, + }, + xContentTypeOptions: 'nosniff', + xDownloadOptions: 'noopen', + xFrameOptions: 'SAMEORIGIN', + xPermittedCrossDomainPolicies: 'none', + xXSSProtection: '0', + } + } + } + }, + security: { + headers: { + referrerPolicy: false, + strictTransportSecurity: false, + xContentTypeOptions: false, + xDownloadOptions: false, + xFrameOptions: false, + xPermittedCrossDomainPolicies: false, + xXSSProtection: false, + contentSecurityPolicy: { + 'script-src': [ + "'self'", + 'https:', + "'unsafe-inline'", + "'strict-dynamic'" + ] + } + } + } +}) diff --git a/test/fixtures/publicAssets/package.json b/test/fixtures/publicAssets/package.json new file mode 100644 index 00000000..decd4334 --- /dev/null +++ b/test/fixtures/publicAssets/package.json @@ -0,0 +1,5 @@ +{ + "private": true, + "name": "basic", + "type": "module" +} diff --git a/test/fixtures/publicAssets/pages/index.vue b/test/fixtures/publicAssets/pages/index.vue new file mode 100644 index 00000000..8371b274 --- /dev/null +++ b/test/fixtures/publicAssets/pages/index.vue @@ -0,0 +1,3 @@ + diff --git a/test/fixtures/publicAssets/public/icon.png b/test/fixtures/publicAssets/public/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..dbbf391ca35d2b70130b9493a620e3977e101d5b GIT binary patch literal 15969 zcmaibc|4Tg7yq3x7+XemDqFVfWXU=tOUV+lw2)+1DqD&fyHX*QEr!b0Vpo=!DM_|W z_LN4H#=aYdnfX1_=lgs8{``5pym;<%?z!i@&$;h=pXc7Tx3%Qq6ypQ{@K{@!p8^05 z{R;<3Ht5fKD%m6bV}xzj7Bh6gIKK@=0~Vx;j>5t?!1UfFJy$q6&}yY3?(Fy{BiA-i;2) z-QX)#E9?)@wJxuFT_dTyeVv%cXn?_N+evTU3JB< znni>^D87T?^GPfE%i7w-zPrBDl%=148~^@XvTPE|Oiv2+iJ|_~vy_;H4}8goEQhBvglgd7Y#*Sfp;aR%^llkn?UI zJJ@oC%B2E_p5PSOnWc}U-Y8c9(DpT6!F(p-j2|y!ZJ@^~P5&!B1KKKakQ!o-ty}UK zJ(8ZU0l<#&q~dqzmmkw3NNNBS>bTGA?*Gh`fQ=A8_@o!_E)FRlSri}r#ws!oQy-3O zj|D)lm^I?r-oG2gRW;)PFZlO=l2bI#dhyALDIRLmlAl=yUaaeBA%Sg_f z1$q{Htj9_F%#_Azw1Ke;3LZ8dxybB^Y7|l0J@?8%N*sU`d%3GFTg~og5`qAbgy$|| zT=h06O-!ZkiaoAN-DNxX>_a_d$aEVkO7qz?juAM(Vlx&g%?E@I2*UxwC%x@G)vmWFrqyO~pc=RkDe;%7V{bNCe;rIxue-C6?`7ohN(PQd z0$`Zu#La<`UQ8nR^|jX{9`LZa!x0cLgm}6e2aNNKl{^2O^(mA^$0LDfdsWqpjA|o_ zyU-K?kl&!EkpS|n)b>XzNty93jF#p-->YG&a!pDE-HQaM2QSi>4*askhX*EAX4)Cv zdaHbs)W2HU@zYRFh7{#?e&>5joV&9&OCKj|!g2}#C(kG?WYS9$XK5Bt%NnmKhN~#( zv1Gw!Tv<3MPJD8@y1;NP%p6!EfxWKL5N~(mY_#n*k9+iA=ReaXp}nie7{)cQ_n$9? zqtW3YS_WXRG`*iw^cbMFeNZ$(M$LNc5EfR8`hNBgVD1N@L)_b`x9ci7-Qnw404jRN zmq$2DcMC&r&UzrfVGHY@pEDrtg~LP90BhQ7GlMZ7U5+1`sldBt>9K? zhk+<(!G-AGJtH=#cf8S?!L^&sLxgHN`)JbdHyn`(wRaToxg~Ay?cbvTK9f(<2G0WHYae@7&SC zM1OmNw}`tXxXp9C7FKCUfAMa0d_2zkkMCnPgvpULZQP2s@ZmU6c;s77@`&&eIM^7Poq|ax!kxKC{s1yM(!UxS6 zx;HJBmA;lw=UzYdawlvmVralaxPorX%j~n#>1!bd(od$m*gks_JRO0Fm~nH6da+Dg(&cq1Ae$=ywfW+F8^?ZP3q2K6xnt_oMFSw z7sq#_`heoF+-;j#7@^547^M?~uvyw3F%HS2TrfWQ6^%|tE(9(JOL{h%3n8D20df)} zyKaDnPWK{h{e5Z-EP@_{OQxq@Rb&Hh)o+jyyU2$^Td$*+-*{5D=PV=v%c|G7(x-Ur zARKEmy31Ggf?&6^Z7PYK_~T`Wv{D406M7|JcZzFB!V4mi3*`=QSb~CZn<@Gb4Eu9? z38jNUB;3Q_bXV9KbG*rcKs|luDj^u3CaaQhc(=Ij=5Fk#nNOIVCf-gX#v1>%g^tR{ zviOHxl@}Q63}1Kd#_6APT_$NQSI>Ux$dYeQ^4=`CR6U)M!;463H>W7_;2$J<+A5gCC51y zBtf{HSXem90#tU-D53AISGeoaop!eJEF`gP_0OXPJt$M;O^4fPXpXR;?YywE)`>>iq^5P^krXTIn< z(DuKb5s1xZ!M1%+!i3n^Z8xnzU2HwGd{_>nCZfOrGP>}Q7y15yw?0G?8Gmxs|8!5)fyEkt=Eae(9Ko4+!1*P|Er>_uEU%c5hbgOdI00XjvSriQ_?)HT(+e zT@66wBY4B4pOw>wA}aK2%YG(DFL+LDtSVh+d;0LiL_W}90|W527vU{K_|`jv#!q$E zUQ7@dWxUxZQM=F3)vUk}?(Gzo<#BJ~k~;6H64BTkQFylC`oF3+Gp<68p(KyujmB;`ri^K;{|)f)VMFAqcuHTW(&TUrf`EmL zdt>&feD}=hhY?#xN0f!ZU}_C#Dk6-?uhOHW8#VqT)gbCz z&^qv8WBVg$=H{no`u+kYE?Pk0pR{RWZ_AJ0Vb|4kHi`mOjn=}Bm(%|ibtm)=lg_p_QNskN0N3(eHx2dhgzIN+Fa=f5o#`okim7@(g`gfNveIPK(6l_3;E> zI{Ao(rzL(cKW|m_dZroyX}P?}K`1;1lKd>H_#DM{FwsRE%DTg6YRoBc z0-)AYPY6~(d~E-Im&@jIuu0BBi}e*2tU=NqXQ*2e@JzHvAVH^w6C&FhyW_+S!)DMi zIv5aAKJFe|(x9J7`1k;ZJg^^tiGm_C!o;4J-XOpXVu?Sr4xf7jpbP_Gk`77wu(+E7 zkT}9e8FUZCekt67@I5CyKZC&pODrH59blcsZ7_iVBrh0p4w^v3i^c%ydQds9C{~OJ zEztC31$)dZc90{2hDn00wr6Ns^#QPqM1h0%En}(IGe$pg1M>^>_bzH~PPQO60pPFAbqRH}YRz>Rqm{p^j8Y zOM+?jEd?SU2lfxZ@)6Yk*5k*ODvh+=*}!=Jgr`R!rg88juE}B8IK&_pgjj4S5VyWw z)sR#gPC*c&*d!xE0eU70A4Ypqt4KF}Xlh=KL}0Jip_bF{0W@zV#Ni&Nf=(bA85KpM zZwUXHVaH5(ui>oYvH0y>N_QoCHd3H00s#uH>YvEEyk%$7;C6m{@$$+s$AVlpk#Acy zKyk{U@Tc1zDEN@?59u=4b-E!6QoKhD1Vwx2f$~YHHUqYN*Amw^+z8t2_atc<|kkI&F8)ndTg3$SASMYm7uJ=)TbD4elD*y}=0yEnvi zCQ4vD6Je;>dP5+c6$(4z!Kq zjghWCWvHr^Hf2#@_ZfV&(~VK$U15?vRx4Ng456p2u@Dv9E9nEF$S9DBqN1yRUeO55 zsu2)o8C6cIW$Z3nNTudw6yD?q#_n^=_er)!Nf_+2-d>JbWRyc0_#NZ?4!G8@o z|20HLLuF&Zu`9GCI8*XtIIsZE_#o~W5L(K(mI-I!N(-aSbZ6m36V6={(kixBj&46N;U))U*X$4hVX;3La4UH#WVOh75)_=YWE)}V54 zYUscSNAixl$u zCN;MAfqvi;!f)XN>DD4+qi(yen31Qwe1rO4!k(Rv?*Oa&lSfQQPn^5EM&BvU3m^x_ zQu`=95=JfsyXR=Nvl|@)yq6avqk(v&fZx^AaNq+7O5^BL0XuW%-{D~wc^<{!L!TY^ zJ%~r~z!}rmNp|!@3T%d)b$VR?vXa5c8`r5gmERHYH^!?+mrB8N>@iGMzuH2aE*A~#_I50%UB^_Sr(L`KA4x@z^nIygom7!2Cjh& ziiXrzO-OqYQDFHQj6Up#T;+er@S$S}e;9{5sxz}Qd_{ry0SWdM0iv8OBOj_vc!TB{ zoVB9$CCg_nK(I`7Lo(5J{$cHs;_lpW%8^jZA1lUoNvkHD!bg7OM|FfxdGp^y>cbuk} zbq7fq&2k4aL{->CUTB^yxGZNAA#Rhugh9bWUjQ`bG(qKpr)=6aAt zu@gM!v<@QAq&)h4ng`-O2=F$=&d#LD?bYbWn4M`MpCM8W}`|rErM~g#{Pm(u$CwWh>Wz@!z+F# zU)9Z$B7Wh*13r3sPuZF_Kp@qD<}pDxv1uv_*?avc7vmO=e(}Ws5oe%j$L#&h3?eHU zPyl@}|AjLc+x+WzcPgh|B|VOy4yhJY#0GKMgjV$>QoeTE$j+6W)DXj3A;hXJI-4oG z0Nuu|F5bqR7||x zJ*7>f6ORkaQX zAlTaM<*^h>h#5BsxXIy<@&+F~w_!O%rUvc$Ji%N)=n8gh$#MSJzv(bCe;Uy4qq1m9 zm0$eH7~l;!FxOC{A&b?^dyci{PyH65~9x|!^abFh%iTFSbY$ z?@=zMRfP!C?dw>Zfm?k$rMAybo^kGUO}y|eJ%{D2+yOqY9=pSst}beT3}g}}_LrQ1 z9)ss~JVOT~K(r?!q!!ZOcK;gv$VS1l|CYJK-Na|;oJey(WUm0ZM?LD#K(=u#y=u&p zqJRt%N`u!kg~AEbezQ1%7fi!BmR46~+%sV9b<^>FinPBGoXV>L)HPTj&3vAZSuP%h zs5E^cy!wm0gRrq6pF5A z{4+WasM1qGJ})RfVqx5!nZx4g)zF#&+v`x2_T#nwH0_zerILgQxY&h*nR8(x_EyY% zkPa&&1=?MuMzll1Rj5;!n|04fe3L7~6}eX&gadw2C_4|PhSnHBXewQ(jDTQq#*@Z9 zbnVh42MnEt1hdEVzwIZj(Yt-GbPldxg3eO}5W_*_TqzA{emf+H@-D*+8lIHRv<-iD z{{};URhV{x;7lV=KV>WQ-6akt58w?Tv&>QM3@|*qxH(y4>or2NyFX?U$3T3kyyBLn z{dqgB|xBMdT}vDQr26Eb0R2 z8Mfi2(15opfAn+2E~oXaR>83oBp8&zFwZl`SB#c$u#++S#;#|}KMeF#$jiGeKL{ih z{;Tq+^w*>96xFKvajmOu9Nn)CjMN8p1NP2%M?lc(Qyh{|LGJsu^#DNhy?S6^4^+<7 zViJcD^K?LwU1pQ@?|_?VcC3j$B5?rE^m|~5g)hAg&vgBAA}D0uHcb?El72byr~fwS+ta%}8Q za{c(V?aI{0uB0T!9rf7&ws;a(@OY+E(b`P`+UZE42L=W-Z#=R3A$zCu2NX0Wxeh+( zBjpL@SVJ%b`5w$up@>QHGQ8gXvgki2BNUTpYnT zgo?Wd8GGttEhdtTB=b1_{$~i%%c_|KbZFWDV;e%Ky2twGv)D!TV_%p!_WxRETG=1@ zpz$W8pCwS2tO4T}j$UQj<~8;2`jvRLp*q%ZovT4l1{j7A8Ia_v(mQ|nIumP84lNMl z2pRX(ID|^H7x`nP8=an@L_JiYLM_XGH%z*w0{Qw11W z^^^Y{YnhWh78*JKg~M?OEd@-p{2l1~-FeKGah&Oj!d@{c&$tPoW~etbZJQT8h!Ws=P3U zO@{+D#rsV&&LCU*?L6f#nLsqHC5YwrlHVeyY7!e}S|m-vcfvJ&k1GQygF5 zQ~58p)YHDQqVAVzg5z9pJDkm5b{j`VomAs5XlRw(6(uc04nah~FOoMe?rqBfve?5^ zc_@+U$5eGF6TUiH3m|5@y`h;pKr?N1Ss8dkSV${b@eWZ-#0VZ`#r~|BVzwT-Nb++- zWfOw1z6YXgCz7CWWfGS3r0CZ)NQA1+5=P2`69`@hW?uu@&?oodQliWxAo_W5nefQ&9d0RevU2n1&7Rq2} zxuJGGO;&a%%}1|2ef0Z@!uT?T_$BA2IwRdr@N>a$7b7M;X6;}~n!rfxcXG)S9(BIn z$S$qd7ApnHvrON$y3F+dL#ee*)WSBd+nxLqc6 z7)QpVi&uCyag`3L1tF}&XH)F#J4HFUDN~2gshxhZ*O|cn>4Uxm@tfQ4CCeGt8M+N{ zV+V1YJgP>NyZ$G($7Z6W=V-qMhFC; z=Q(TaX%a_B2Gu1w_zC^d2*zF$M2Bp&UA&4$Y5o3ZbakAjmiK%<)<1c}F)0cB8=R0L zGEo!d#Ex*gp@bD(UEC_5R35|Js;tU>ofgEewEmMZ*t}SA^4<@IQY92_Ae!vEZ`o{& zB`)YJtNPKO|1!qTQF(WiU$IIR&W(|Jq=sUo@nNngn;R{`md~o5^`*Li`<+7Kf3iJ{ zS-L5l=SG`i&MdRWX0|)~o7B>UwTvye3Z+?y$q|<0mTCMQ9o>grQr21GcK)p^5U$a> zWBk%>v>W~=YjZJ|yE0nj-iSSNVv`hRF~xp?hnzEi8U{*#8u57>VPnuCPeYk5xpVmI zOU;V{ex`+Qb{pw7p+jBgGM{ULu1{7IZ+|d8_ytbatDM~9S7A!6WW?TUqG`~R-{6Z5b|L37nD}LJ8$e4ta>BP*Wmi-bv zTHOhdqg8EFpk&6j6(sZZ{0M3m2El`w8K2WNkohPPIBi~>vUUDWx2kI2wUxV2a<4Fe z`Scr9W+vxVvKKz;$+wG{d)uD1nww<9!xrk-_v;hxu4-VBA!c(wy*!5-ty%!_sm>8W zbn(nKsC&@(Odf+PXXfRbtip9aOFQ47X+3LKmrVHggTDzPKqQAP^2beCf5)}|tH?>* z7>f75#rv@7ciLIXPG7Oh+a!JPfE!%1o3KQ-J8HxC$PKgtc9RM`f#?c9AmN1O$$l>V2xt+}*eBNjS~51Sqy!z>M5 zANMEoVBIx;LCjsw9X3b3@S;{>IVZV*zk!*L5;4oiv_RNC#EYjUBntgeyjqKl#b6D4 zk{HM?V~O1PLygJqdW!CIsG)xdlvQUdO~e>~r+585+gK87IVMDImJFFBmyhXSE|mfG zEU^$)b*w%o%s1Cid*+gAcp`tXK`R#{`wNm(CrSKk0K4>+)JZiqQ3Qq_Wia%KyLwxz z-%rV_JY4xIO1Rz6WLhj?3MRsa@AwNH>9Y#dyiR*q;c?TNp;BMS>zP{JF0!+>@_Wxnm$l9J<%^V}2WGfW~=M=QGQjv~KMu{Wt* zuYJjp#0dgl#&R72pP`0h$G?QLaf=`Zofq=p&=Q>UC8Z?j96op=j&N=5ir>dZV^~lb zYt@^!E1w}=V+&~S^|!8RWfVi5#txL>NB=FYC0b7v7j9?L7`sE`i@I4w@>oGppy7lZ z_4Y0|C6vq1SYhuZ|1x#4@iial;&#HZ#!^Lx2B#~3j)tSTr2y)vOsogvLaoVJNB$O* zeIL25{o`hVVuw$Dhrcx$+sS-CwUn=H@+{Yz%!(dgyH;)usiWzD6!|dz!1$@g*Q1wI zs*HBZOOYI7O^zuSCL8`0R~={3NGmk~^0) zTahR>ecDD%0O7a(rDQT`=>y)jRJl;m9i>;ZQoKgrAnIVEE89o;3H3s)$p?S}e1Y_=zk0JYu-2lZ}7WwfsEW`MX?#%%Y3k_4~*RaIw* zKj}dZ-8lM4pT||b=Bn>@*y?ZdkUTtRkzO;q-Ert0{5~;SGHvhE6^dv)_P|^6{+RYJFNB#2hW9iXmUM|nur@tjf_V3YFcSFl0pM`@Cvq1KQ zGtj33g19{k8Y{c3>fNJfF4PMJ?%-69y7vPmDD_#)f%IhcU~TmHX{t$9(x$Ew4Ev(x*i#Rw(t^hxVYdr0?kp1nW&=am^u)&-J-T^^ zo(EeWRb~YxKUt9*ViPsup8*J&>vzsNu5kAx!|~q!%POqEE=8*7Jj>Y#N`NWmRw-lX z&)c)ASnU&89tVrmAJbh_{8Nen`sFisFY~eya3V|X5rq^}To@6??I6~q|0Gj@_`2xj zZvCgtE>9}Hy36APglBDD$-zKu-V)xFC_#!?&mv8}{RBdS+wWzuX2K+CB=JBfZE$~E z`)wy{J`yt@(71lcHkT%Hb71LUJM>Ob9xMBDvBAtNgF*Nq(EIrCXD{Gc;-LS#2rWT> zg6|0On%>cneXX@@6od?!nYJS-Fcs}9{xumM2n{~42hy{sl_#Vvdc={7n5=((=FAQu z819-bh?6M_1>|{55@Y?77pSu4=GYF#Hn-O3l+B*w+Ou$EzGV+u3wXmk-v{G(!8W|=ySw4?oeClVI zp1q{TmsjU9o9Xqj`mOE5h{YoJ;(8$Lhv+?#G%j*;&GpFMt(y6)_R<#?Z4tkuh+N~l zOSIXJ?i}f&(dw%%AxnIr%i0_hl7ZSFvfdS=Y(eIo?xkStA1ia|{(5Rk=r1Y`(mB^3 zI&~87a?1|Wxm0QI%tfHEN|os_h!%|dw{Dh-tO;^V9QqyrLTX&w+Pgj?$9G*=&xc{! zUn_OLIKRKR+(p=RbZa!>$pI6Uk(gbvm6P${HG3p2`3fiTA%%4HQscJAyHzia&d+Zn z+{EbvhlX`!!D$w7X;y6F^H0ie7sgbj75TBC8(5edGBvfdAjzOyKYlkLWfTQIzKM~t zp9v$J#7A7bN((vrvzNqQsG2*ApGuW@;K5Lf5Ma+)e#31<6W@6fWezXDSPLD%HL+#q zW*?Fv|FMu;e*JExrZ$%FamD(`<(GsK9d}fN&z64UZ%#&^a-h&e5@{Qq!RPAiBZ)*z zWM1CIQ*klJ7U@e7Y3pr{67C{km6r zM#Q!~hcB&0@)b%L$!ZK7?Ih9YJ{r@hdx`1>sn>ze*uhVC$4b+tRL5}>Ezt_Ns_BW4mTSI?WJ`3y03!G330^|JwL-sh1@L=lt!@Ky17p}*2Jnsa7 ziFo?uncEPRo!KpDsb0W}3~rH0jb2FL?nMp;f~z~g*rtG(*~yV}e8L+(XpJeg6~v#3 z`ipyDWS6_c-78B_niGM8@m;)3lAq8-SRP*x>9BaA3!J~*Ixz^SXU`5+;vF5^mrft& z{z7w6;jo8Ze{!nU_ge?JVY|$)o`Sx3TUQ%$#9SJgYHlx-404VcxRN<213c3ID>a4(fe!QM-hU9}{lO6d~ z5{!1P@M6hHJH{s;x{HoA!HWyBT#y`AnoC{$Se#V`{Z*Q9IsIYku8`OII_|{8{s8Ec zgRVhu^f4jNm?)KyN#TwLA@pEZ&qz)v<9Fv)M*^j5dB$X`Md1@5oYg3l=Blcib;n+Y zeVh(m(Rw{Zd%h#=v%X##hqL3q2s~><(v=C5FD}DoSy1uUveQmegiQvZCMEoiJS5uR zy$vEzs8)#BXRwm*Qi1E~`i+@B^&wjRJ?QO~MNak!{y=D1t^p1&XIYR4PgCu7JB-h_ zt>%lNv$(GI&vdA|us|T5+w$GLY&QifNi6Y+%JR*>k*kioQI|re@tT>j_m695hagNPXq;(2e2Tjq=@H$6Mb`IRc2iq_Zaq#~i$2a`(UP8GM9uS z9oPQs`=qpT=czdU*8sj;*WYUoc=!g9+YPtbmzQp2M|UDh=(7_@ zv&%cnSB=A?0*8zOvtZ(rx-zE+CY0>=T=5$dtZ=F~u8g2>(s_jGijMJ^>EkL8OZ?@xkjP`uz*)wzpT$4N`5PvVRIN`gCx!Ik zyV^%5aE+&4-J<4*JmD%_7xoFbb^J7`@wh#23(K&VDJSbxu{eG>mQ2Zk;f1|dxIbDe?S%Q5s6=n17A~s^PnBXG&1QTG z5<>4Ei#9jjYR)P2(Q;?cIvZMaw(4N});HtcSwFOH(STIxx2?QoUdDo3cOvF^DgBSv z*%wS|^%q{2nQV7kKyk+Tt%sr?y4v3lMew_Drmn_=YqxC9@9|0jW@v94>mRM+Tjl=x zT+5r?OP{qPDj%OXeO}p*?F#p(z0lTvqoJ6Btb2HeTq>i~1Y>%4U;saZEO~HkPpxcH zAZ(CJ+-3x49)CYp-Qk-=!7$EH?NjjHsYHxc@%iB(eXc?m*qD%&3tEIMf{eeso10Tq zW1_4-M~WQ6Yf>gjUZ)rjyHdlBRuA8CSeiFhUcyfucZ(S+jswe|(9djfWjZlFo5|+M z*)3bbYPYZEecXa9z7-l!dVN^1d;U_>Fw2h+l9*e~-52YgL=AhTLpyE76ndX9h5qR! z-Px%Wa|{saN#~^(DnRDC@QF&6ik6%8lIo${kzwIerF3am8PZSZeWzliKKTzZ`1gv! zu{yo*-B^(?@O|HQRQuT2@7{;K4XwqA40Ofl(9;*7=z2#TVMu@a(_cUp9-8ss19kbz z!{uJlr?>~Au)II62a6&lZJZ?wukTY;u3$wXqO@uWR|4Yx-Z)xP&cNJ?%ri&pG9H_! z*x|l~r~HaT*H3=x{{6F(ewq()_8>BEnANW;{HrV?DF2~2a#VOUBVmj8Lm6t_WHeKw)HVbMYv5SPAN*T zYWKy7t{}i&c+vB`)8_Z*kYRA!uY;I`#p^8WiCX5SGl5gX#<82R$oL_XRpDif)fPT? z&0&SMQ!I_LS{rfHjd?w5a_&~5O71G7nM6|NBgWy=j(>zq%QkUq`aArQkkw4Qcn^D( z{Lp>ap`GA?UJpx}1#zjeRgUist@jvEHwot2?ej9^D#WKOEl6ZStXHY(Z%_w1gMR-A zs<6gn4^`*(c@qoCtj%%EIucBm2FIH4O|iz#lKVQkDqk*6%y_;GbyOyaDC}t$R!#lu z@;HaKLX?leP-$nSSK7T=4sl2VS69`A$AmNOdiw?6O~z++s(I)hR6owe+A%dF0*!HC zdzz-Xx{$y3_Q`%*hJ36vq5aZcQ`5qy3hJt3id8{=Im(Tr!|&KRcPF1x=wnL~oh_L2 zuWrh&e!%B^2FkWv@LoHllK`tlNzi_Xi*%N2ild^Uf!5BHqabZ&KEuk~VC9OGH)yIo zb~l36DO88Bw7YZ@ah0P!tm@UgN%(O&I~&f)Ro?ba#`4by*}d*tGzV*LQS74OnOABj z5Qp7ydODrY37>lc_P<;H@QEe%(2&RJO}kUyB=VqB?e4o?=8KP!5<4>qpwNICUxX`b z+Z+4BIr$5A>tQV6_U*~8(&&zu_lX-ude5C{rKy?pkE4-|+qEkl)=G2_+T6%NX$Rwt z?>rSC>LR_mFlUk4<=(k?MkeL^gG(p6yxz-pt6nP*B?{n&rOEv~xa6qGl8Z4iFScA7 z&38xbpwr%#uf3RLbMLK}c-fbi@n-343kMWP;tIowP3zW^#rdgb-S?v1yL#g2Hv(2e zx5)wjdin-WTurL zDrBNPzGk{$4hhF5%=o_NJuoIVHBEZ3dC>#~$C}Py3&ZwyI%E4yO%X73Q|Q_i+REDM z&zvlCnFl9!a!9`&8G>-^dopkTnf4|RX)_dfUOu)fBer7Tc&(OhAO%F8d`Um=_A1TV z{4g@|?@-${Xh+9|-8$B~jj46@5bQAn6G_7?elFN;-*{jBnB|6j29ajWWCl`Pe&<0@ z?Gu`N?g@R)p}Wq0Vh;AypXU`Bq{pk_Wk$xMwMSs+1ZmRlqc^+9Hm+qTA;6;fh?whF z8=wt+Oulz?cjG6+|NT28_|g9o{R_o%@g2Zd~l*`8GMCfbvV+K+5m0uF=t=n@?pxACU z=fPqejP@I5U8dtVN+UX7e6K`-3;m~mVyLwXmnIHWW$N3%S%heMu+rXNSQt= zzpdD*yQIbv%On`!L(SjYEj0_67FT+Og|gZ(Uic0@3Nj^*jt+2`kg)o=XLrkUJ8Wpb z3nx~6p89fpbv1(Swzp7_(O3w9euMZFz3}#SjY8FGc!tjtJsriDOJ`+4Zhdsyp6x7o z%5k{J=72mLOEo_y;CjQC@~cK~dDg?@*i}g)P+7gXX;+}e9wCc;iig=FT=6RHVvj$o z;Ac-YQeH~9gX~T zf3*wM<=TaQ5}^TJhO_0obxL}XyUcHBh5q-v8pGzQyI_M} z59Q49VaeWyY$&4annd~qx<%%t_Z@F86x)LWhXc*W!bI900HfD;FaK1_diAd1mNN>C z3Edhtp>1>hnL5ky^$r6spm!7y-#tDkfFSQLe#4=u2FUqrU)8QqeQ%Vz-u^*x30?D0 z3%R3;4S^OR;e%3jobd61hm5uM@_&g@gQPs1#rlO0B*@+tg=zU45iBJdPS)&H2!pkO z8+3@n3O?X~xG*_bbJwG15rsj|7nLKm4s~L8BR6PWZ-a7l>)lCy^Jrp67FXK4>aI|Dm$_ ztB)j&zOz1986Um*d?mf_)-``#YA5S?NG+wzgm}P-$dJy@TKSNaA;3jD)L6AWk_04! zat`i8DAd5L5(}vHM70ad;yXa{R?fi#h;$xwkKRVswF_&N`(aofW)ajfg(HII`{%7wP@>_Ue9{H?NkO_6vmV+@o;i%%DmYlcVXv<{@urW|Qx9zX zDH}@*VdY`6$1p7hC9Zz`#yez(T zxRf=fZlgEVg$6$cP-)({y^EiAuHa9_tnrSVk^rR&%X4MUulkUAm~<;1_beDIy9(st`Mkm8<{#*mi1HmXQ{{xmtp#KwhRgG4 z9u5|0*p408IcXHZ#%YssFe|*8ltSQ!V-I_Oc!jO_s*$b(ZP^}k8PVnVz;hXXAJ+8* zv-fpXE0ki{y6v1}AidyxL?!NNAf9tLN~|1f{Zh zMos-5H@Yb)btBten8?q`y6~(9BYC5`RbgS!*H zFk*^E)x;2hsEZip3WG%#T_mt^?y{9oXmg2P_%akItT`_t@k5uBwe9(axPi{1*VGd3 z@|OO$CGj{i3V6yTvGJs!CAp*CR*IWEqOo)){xWuuf%ecjbsg*^HFD}OyEi_%<<{2P zTjcDqSe%xfRr6@tL(E4cs7l}X@Q8p`5O|gKbES60phzX=`7S>iVB14vCqOLL!+nDC zA!)zUCaN8QRB3><%c*0(d&_;|?uMBuG?YI_G>r^{f!QkC zv2R$LiM#b^Y*);cYyKt^YYD(e5}?m%`jf0r9VEMw_p>-{-aM8eLA3zbrc3=X7eZbW z%88t;<@1ymvd?!kB;nxjrTh?;iDLt?(4go4nAw@^gDg8R%ry@GqWzUQ4;SY!hHgUW zzjCCeKRet5rRVIzoX+{HeY|SSTY5Hr;_Dw=nA3rdv|T7`A-wM(HBuJUhS`dY2}fN1 zsWJ3m^LmR4%upJjKM!*x#+_e3qfjPK%edG4dn5P?=acTln3zH64xfXe1MQ^Ll#-~x?JShdILWXT^YJZN`u%o zrFMk{od((9k!|gd3TagK`5RN0O6WN}uT?$>*nkkP2G?iM^-0g-w{NU=deJBeI*pvVm#zDP zsnS|D&yG#GWL6|Ow|nf82{bP6kj=9m|_P#7xPib zj}1^a5c&{09?%HholAt9Kwsi(7TFV5pVmkK^>iB~Lix3d86=NT#1ymsPt3A6)HR{* zpCVX@)bWk_A*mpEZN(vgWx63h$YhUc6C#Um)D%m6bV}xzj7Bh6gIKK@=0~Vx;j>5t?!1UfFJy$q6&}yY3?(Fy{BiA-i;2) z-QX)#E9?)@wJxuFT_dTyeVv%cXn?_N+evTU3JB< znni>^D87T?^GPfE%i7w-zPrBDl%=148~^@XvTPE|Oiv2+iJ|_~vy_;H4}8goEQhBvglgd7Y#*Sfp;aR%^llkn?UI zJJ@oC%B2E_p5PSOnWc}U-Y8c9(DpT6!F(p-j2|y!ZJ@^~P5&!B1KKKakQ!o-ty}UK zJ(8ZU0l<#&q~dqzmmkw3NNNBS>bTGA?*Gh`fQ=A8_@o!_E)FRlSri}r#ws!oQy-3O zj|D)lm^I?r-oG2gRW;)PFZlO=l2bI#dhyALDIRLmlAl=yUaaeBA%Sg_f z1$q{Htj9_F%#_Azw1Ke;3LZ8dxybB^Y7|l0J@?8%N*sU`d%3GFTg~og5`qAbgy$|| zT=h06O-!ZkiaoAN-DNxX>_a_d$aEVkO7qz?juAM(Vlx&g%?E@I2*UxwC%x@G)vmWFrqyO~pc=RkDe;%7V{bNCe;rIxue-C6?`7ohN(PQd z0$`Zu#La<`UQ8nR^|jX{9`LZa!x0cLgm}6e2aNNKl{^2O^(mA^$0LDfdsWqpjA|o_ zyU-K?kl&!EkpS|n)b>XzNty93jF#p-->YG&a!pDE-HQaM2QSi>4*askhX*EAX4)Cv zdaHbs)W2HU@zYRFh7{#?e&>5joV&9&OCKj|!g2}#C(kG?WYS9$XK5Bt%NnmKhN~#( zv1Gw!Tv<3MPJD8@y1;NP%p6!EfxWKL5N~(mY_#n*k9+iA=ReaXp}nie7{)cQ_n$9? zqtW3YS_WXRG`*iw^cbMFeNZ$(M$LNc5EfR8`hNBgVD1N@L)_b`x9ci7-Qnw404jRN zmq$2DcMC&r&UzrfVGHY@pEDrtg~LP90BhQ7GlMZ7U5+1`sldBt>9K? zhk+<(!G-AGJtH=#cf8S?!L^&sLxgHN`)JbdHyn`(wRaToxg~Ay?cbvTK9f(<2G0WHYae@7&SC zM1OmNw}`tXxXp9C7FKCUfAMa0d_2zkkMCnPgvpULZQP2s@ZmU6c;s77@`&&eIM^7Poq|ax!kxKC{s1yM(!UxS6 zx;HJBmA;lw=UzYdawlvmVralaxPorX%j~n#>1!bd(od$m*gks_JRO0Fm~nH6da+Dg(&cq1Ae$=ywfW+F8^?ZP3q2K6xnt_oMFSw z7sq#_`heoF+-;j#7@^547^M?~uvyw3F%HS2TrfWQ6^%|tE(9(JOL{h%3n8D20df)} zyKaDnPWK{h{e5Z-EP@_{OQxq@Rb&Hh)o+jyyU2$^Td$*+-*{5D=PV=v%c|G7(x-Ur zARKEmy31Ggf?&6^Z7PYK_~T`Wv{D406M7|JcZzFB!V4mi3*`=QSb~CZn<@Gb4Eu9? z38jNUB;3Q_bXV9KbG*rcKs|luDj^u3CaaQhc(=Ij=5Fk#nNOIVCf-gX#v1>%g^tR{ zviOHxl@}Q63}1Kd#_6APT_$NQSI>Ux$dYeQ^4=`CR6U)M!;463H>W7_;2$J<+A5gCC51y zBtf{HSXem90#tU-D53AISGeoaop!eJEF`gP_0OXPJt$M;O^4fPXpXR;?YywE)`>>iq^5P^krXTIn< z(DuKb5s1xZ!M1%+!i3n^Z8xnzU2HwGd{_>nCZfOrGP>}Q7y15yw?0G?8Gmxs|8!5)fyEkt=Eae(9Ko4+!1*P|Er>_uEU%c5hbgOdI00XjvSriQ_?)HT(+e zT@66wBY4B4pOw>wA}aK2%YG(DFL+LDtSVh+d;0LiL_W}90|W527vU{K_|`jv#!q$E zUQ7@dWxUxZQM=F3)vUk}?(Gzo<#BJ~k~;6H64BTkQFylC`oF3+Gp<68p(KyujmB;`ri^K;{|)f)VMFAqcuHTW(&TUrf`EmL zdt>&feD}=hhY?#xN0f!ZU}_C#Dk6-?uhOHW8#VqT)gbCz z&^qv8WBVg$=H{no`u+kYE?Pk0pR{RWZ_AJ0Vb|4kHi`mOjn=}Bm(%|ibtm)=lg_p_QNskN0N3(eHx2dhgzIN+Fa=f5o#`okim7@(g`gfNveIPK(6l_3;E> zI{Ao(rzL(cKW|m_dZroyX}P?}K`1;1lKd>H_#DM{FwsRE%DTg6YRoBc z0-)AYPY6~(d~E-Im&@jIuu0BBi}e*2tU=NqXQ*2e@JzHvAVH^w6C&FhyW_+S!)DMi zIv5aAKJFe|(x9J7`1k;ZJg^^tiGm_C!o;4J-XOpXVu?Sr4xf7jpbP_Gk`77wu(+E7 zkT}9e8FUZCekt67@I5CyKZC&pODrH59blcsZ7_iVBrh0p4w^v3i^c%ydQds9C{~OJ zEztC31$)dZc90{2hDn00wr6Ns^#QPqM1h0%En}(IGe$pg1M>^>_bzH~PPQO60pPFAbqRH}YRz>Rqm{p^j8Y zOM+?jEd?SU2lfxZ@)6Yk*5k*ODvh+=*}!=Jgr`R!rg88juE}B8IK&_pgjj4S5VyWw z)sR#gPC*c&*d!xE0eU70A4Ypqt4KF}Xlh=KL}0Jip_bF{0W@zV#Ni&Nf=(bA85KpM zZwUXHVaH5(ui>oYvH0y>N_QoCHd3H00s#uH>YvEEyk%$7;C6m{@$$+s$AVlpk#Acy zKyk{U@Tc1zDEN@?59u=4b-E!6QoKhD1Vwx2f$~YHHUqYN*Amw^+z8t2_atc<|kkI&F8)ndTg3$SASMYm7uJ=)TbD4elD*y}=0yEnvi zCQ4vD6Je;>dP5+c6$(4z!Kq zjghWCWvHr^Hf2#@_ZfV&(~VK$U15?vRx4Ng456p2u@Dv9E9nEF$S9DBqN1yRUeO55 zsu2)o8C6cIW$Z3nNTudw6yD?q#_n^=_er)!Nf_+2-d>JbWRyc0_#NZ?4!G8@o z|20HLLuF&Zu`9GCI8*XtIIsZE_#o~W5L(K(mI-I!N(-aSbZ6m36V6={(kixBj&46N;U))U*X$4hVX;3La4UH#WVOh75)_=YWE)}V54 zYUscSNAixl$u zCN;MAfqvi;!f)XN>DD4+qi(yen31Qwe1rO4!k(Rv?*Oa&lSfQQPn^5EM&BvU3m^x_ zQu`=95=JfsyXR=Nvl|@)yq6avqk(v&fZx^AaNq+7O5^BL0XuW%-{D~wc^<{!L!TY^ zJ%~r~z!}rmNp|!@3T%d)b$VR?vXa5c8`r5gmERHYH^!?+mrB8N>@iGMzuH2aE*A~#_I50%UB^_Sr(L`KA4x@z^nIygom7!2Cjh& ziiXrzO-OqYQDFHQj6Up#T;+er@S$S}e;9{5sxz}Qd_{ry0SWdM0iv8OBOj_vc!TB{ zoVB9$CCg_nK(I`7Lo(5J{$cHs;_lpW%8^jZA1lUoNvkHD!bg7OM|FfxdGp^y>cbuk} zbq7fq&2k4aL{->CUTB^yxGZNAA#Rhugh9bWUjQ`bG(qKpr)=6aAt zu@gM!v<@QAq&)h4ng`-O2=F$=&d#LD?bYbWn4M`MpCM8W}`|rErM~g#{Pm(u$CwWh>Wz@!z+F# zU)9Z$B7Wh*13r3sPuZF_Kp@qD<}pDxv1uv_*?avc7vmO=e(}Ws5oe%j$L#&h3?eHU zPyl@}|AjLc+x+WzcPgh|B|VOy4yhJY#0GKMgjV$>QoeTE$j+6W)DXj3A;hXJI-4oG z0Nuu|F5bqR7||x zJ*7>f6ORkaQX zAlTaM<*^h>h#5BsxXIy<@&+F~w_!O%rUvc$Ji%N)=n8gh$#MSJzv(bCe;Uy4qq1m9 zm0$eH7~l;!FxOC{A&b?^dyci{PyH65~9x|!^abFh%iTFSbY$ z?@=zMRfP!C?dw>Zfm?k$rMAybo^kGUO}y|eJ%{D2+yOqY9=pSst}beT3}g}}_LrQ1 z9)ss~JVOT~K(r?!q!!ZOcK;gv$VS1l|CYJK-Na|;oJey(WUm0ZM?LD#K(=u#y=u&p zqJRt%N`u!kg~AEbezQ1%7fi!BmR46~+%sV9b<^>FinPBGoXV>L)HPTj&3vAZSuP%h zs5E^cy!wm0gRrq6pF5A z{4+WasM1qGJ})RfVqx5!nZx4g)zF#&+v`x2_T#nwH0_zerILgQxY&h*nR8(x_EyY% zkPa&&1=?MuMzll1Rj5;!n|04fe3L7~6}eX&gadw2C_4|PhSnHBXewQ(jDTQq#*@Z9 zbnVh42MnEt1hdEVzwIZj(Yt-GbPldxg3eO}5W_*_TqzA{emf+H@-D*+8lIHRv<-iD z{{};URhV{x;7lV=KV>WQ-6akt58w?Tv&>QM3@|*qxH(y4>or2NyFX?U$3T3kyyBLn z{dqgB|xBMdT}vDQr26Eb0R2 z8Mfi2(15opfAn+2E~oXaR>83oBp8&zFwZl`SB#c$u#++S#;#|}KMeF#$jiGeKL{ih z{;Tq+^w*>96xFKvajmOu9Nn)CjMN8p1NP2%M?lc(Qyh{|LGJsu^#DNhy?S6^4^+<7 zViJcD^K?LwU1pQ@?|_?VcC3j$B5?rE^m|~5g)hAg&vgBAA}D0uHcb?El72byr~fwS+ta%}8Q za{c(V?aI{0uB0T!9rf7&ws;a(@OY+E(b`P`+UZE42L=W-Z#=R3A$zCu2NX0Wxeh+( zBjpL@SVJ%b`5w$up@>QHGQ8gXvgki2BNUTpYnT zgo?Wd8GGttEhdtTB=b1_{$~i%%c_|KbZFWDV;e%Ky2twGv)D!TV_%p!_WxRETG=1@ zpz$W8pCwS2tO4T}j$UQj<~8;2`jvRLp*q%ZovT4l1{j7A8Ia_v(mQ|nIumP84lNMl z2pRX(ID|^H7x`nP8=an@L_JiYLM_XGH%z*w0{Qw11W z^^^Y{YnhWh78*JKg~M?OEd@-p{2l1~-FeKGah&Oj!d@{c&$tPoW~etbZJQT8h!Ws=P3U zO@{+D#rsV&&LCU*?L6f#nLsqHC5YwrlHVeyY7!e}S|m-vcfvJ&k1GQygF5 zQ~58p)YHDQqVAVzg5z9pJDkm5b{j`VomAs5XlRw(6(uc04nah~FOoMe?rqBfve?5^ zc_@+U$5eGF6TUiH3m|5@y`h;pKr?N1Ss8dkSV${b@eWZ-#0VZ`#r~|BVzwT-Nb++- zWfOw1z6YXgCz7CWWfGS3r0CZ)NQA1+5=P2`69`@hW?uu@&?oodQliWxAo_W5nefQ&9d0RevU2n1&7Rq2} zxuJGGO;&a%%}1|2ef0Z@!uT?T_$BA2IwRdr@N>a$7b7M;X6;}~n!rfxcXG)S9(BIn z$S$qd7ApnHvrON$y3F+dL#ee*)WSBd+nxLqc6 z7)QpVi&uCyag`3L1tF}&XH)F#J4HFUDN~2gshxhZ*O|cn>4Uxm@tfQ4CCeGt8M+N{ zV+V1YJgP>NyZ$G($7Z6W=V-qMhFC; z=Q(TaX%a_B2Gu1w_zC^d2*zF$M2Bp&UA&4$Y5o3ZbakAjmiK%<)<1c}F)0cB8=R0L zGEo!d#Ex*gp@bD(UEC_5R35|Js;tU>ofgEewEmMZ*t}SA^4<@IQY92_Ae!vEZ`o{& zB`)YJtNPKO|1!qTQF(WiU$IIR&W(|Jq=sUo@nNngn;R{`md~o5^`*Li`<+7Kf3iJ{ zS-L5l=SG`i&MdRWX0|)~o7B>UwTvye3Z+?y$q|<0mTCMQ9o>grQr21GcK)p^5U$a> zWBk%>v>W~=YjZJ|yE0nj-iSSNVv`hRF~xp?hnzEi8U{*#8u57>VPnuCPeYk5xpVmI zOU;V{ex`+Qb{pw7p+jBgGM{ULu1{7IZ+|d8_ytbatDM~9S7A!6WW?TUqG`~R-{6Z5b|L37nD}LJ8$e4ta>BP*Wmi-bv zTHOhdqg8EFpk&6j6(sZZ{0M3m2El`w8K2WNkohPPIBi~>vUUDWx2kI2wUxV2a<4Fe z`Scr9W+vxVvKKz;$+wG{d)uD1nww<9!xrk-_v;hxu4-VBA!c(wy*!5-ty%!_sm>8W zbn(nKsC&@(Odf+PXXfRbtip9aOFQ47X+3LKmrVHggTDzPKqQAP^2beCf5)}|tH?>* z7>f75#rv@7ciLIXPG7Oh+a!JPfE!%1o3KQ-J8HxC$PKgtc9RM`f#?c9AmN1O$$l>V2xt+}*eBNjS~51Sqy!z>M5 zANMEoVBIx;LCjsw9X3b3@S;{>IVZV*zk!*L5;4oiv_RNC#EYjUBntgeyjqKl#b6D4 zk{HM?V~O1PLygJqdW!CIsG)xdlvQUdO~e>~r+585+gK87IVMDImJFFBmyhXSE|mfG zEU^$)b*w%o%s1Cid*+gAcp`tXK`R#{`wNm(CrSKk0K4>+)JZiqQ3Qq_Wia%KyLwxz z-%rV_JY4xIO1Rz6WLhj?3MRsa@AwNH>9Y#dyiR*q;c?TNp;BMS>zP{JF0!+>@_Wxnm$l9J<%^V}2WGfW~=M=QGQjv~KMu{Wt* zuYJjp#0dgl#&R72pP`0h$G?QLaf=`Zofq=p&=Q>UC8Z?j96op=j&N=5ir>dZV^~lb zYt@^!E1w}=V+&~S^|!8RWfVi5#txL>NB=FYC0b7v7j9?L7`sE`i@I4w@>oGppy7lZ z_4Y0|C6vq1SYhuZ|1x#4@iial;&#HZ#!^Lx2B#~3j)tSTr2y)vOsogvLaoVJNB$O* zeIL25{o`hVVuw$Dhrcx$+sS-CwUn=H@+{Yz%!(dgyH;)usiWzD6!|dz!1$@g*Q1wI zs*HBZOOYI7O^zuSCL8`0R~={3NGmk~^0) zTahR>ecDD%0O7a(rDQT`=>y)jRJl;m9i>;ZQoKgrAnIVEE89o;3H3s)$p?S}e1Y_=zk0JYu-2lZ}7WwfsEW`MX?#%%Y3k_4~*RaIw* zKj}dZ-8lM4pT||b=Bn>@*y?ZdkUTtRkzO;q-Ert0{5~;SGHvhE6^dv)_P|^6{+RYJFNB#2hW9iXmUM|nur@tjf_V3YFcSFl0pM`@Cvq1KQ zGtj33g19{k8Y{c3>fNJfF4PMJ?%-69y7vPmDD_#)f%IhcU~TmHX{t$9(x$Ew4Ev(x*i#Rw(t^hxVYdr0?kp1nW&=am^u)&-J-T^^ zo(EeWRb~YxKUt9*ViPsup8*J&>vzsNu5kAx!|~q!%POqEE=8*7Jj>Y#N`NWmRw-lX z&)c)ASnU&89tVrmAJbh_{8Nen`sFisFY~eya3V|X5rq^}To@6??I6~q|0Gj@_`2xj zZvCgtE>9}Hy36APglBDD$-zKu-V)xFC_#!?&mv8}{RBdS+wWzuX2K+CB=JBfZE$~E z`)wy{J`yt@(71lcHkT%Hb71LUJM>Ob9xMBDvBAtNgF*Nq(EIrCXD{Gc;-LS#2rWT> zg6|0On%>cneXX@@6od?!nYJS-Fcs}9{xumM2n{~42hy{sl_#Vvdc={7n5=((=FAQu z819-bh?6M_1>|{55@Y?77pSu4=GYF#Hn-O3l+B*w+Ou$EzGV+u3wXmk-v{G(!8W|=ySw4?oeClVI zp1q{TmsjU9o9Xqj`mOE5h{YoJ;(8$Lhv+?#G%j*;&GpFMt(y6)_R<#?Z4tkuh+N~l zOSIXJ?i}f&(dw%%AxnIr%i0_hl7ZSFvfdS=Y(eIo?xkStA1ia|{(5Rk=r1Y`(mB^3 zI&~87a?1|Wxm0QI%tfHEN|os_h!%|dw{Dh-tO;^V9QqyrLTX&w+Pgj?$9G*=&xc{! zUn_OLIKRKR+(p=RbZa!>$pI6Uk(gbvm6P${HG3p2`3fiTA%%4HQscJAyHzia&d+Zn z+{EbvhlX`!!D$w7X;y6F^H0ie7sgbj75TBC8(5edGBvfdAjzOyKYlkLWfTQIzKM~t zp9v$J#7A7bN((vrvzNqQsG2*ApGuW@;K5Lf5Ma+)e#31<6W@6fWezXDSPLD%HL+#q zW*?Fv|FMu;e*JExrZ$%FamD(`<(GsK9d}fN&z64UZ%#&^a-h&e5@{Qq!RPAiBZ)*z zWM1CIQ*klJ7U@e7Y3pr{67C{km6r zM#Q!~hcB&0@)b%L$!ZK7?Ih9YJ{r@hdx`1>sn>ze*uhVC$4b+tRL5}>Ezt_Ns_BW4mTSI?WJ`3y03!G330^|JwL-sh1@L=lt!@Ky17p}*2Jnsa7 ziFo?uncEPRo!KpDsb0W}3~rH0jb2FL?nMp;f~z~g*rtG(*~yV}e8L+(XpJeg6~v#3 z`ipyDWS6_c-78B_niGM8@m;)3lAq8-SRP*x>9BaA3!J~*Ixz^SXU`5+;vF5^mrft& z{z7w6;jo8Ze{!nU_ge?JVY|$)o`Sx3TUQ%$#9SJgYHlx-404VcxRN<213c3ID>a4(fe!QM-hU9}{lO6d~ z5{!1P@M6hHJH{s;x{HoA!HWyBT#y`AnoC{$Se#V`{Z*Q9IsIYku8`OII_|{8{s8Ec zgRVhu^f4jNm?)KyN#TwLA@pEZ&qz)v<9Fv)M*^j5dB$X`Md1@5oYg3l=Blcib;n+Y zeVh(m(Rw{Zd%h#=v%X##hqL3q2s~><(v=C5FD}DoSy1uUveQmegiQvZCMEoiJS5uR zy$vEzs8)#BXRwm*Qi1E~`i+@B^&wjRJ?QO~MNak!{y=D1t^p1&XIYR4PgCu7JB-h_ zt>%lNv$(GI&vdA|us|T5+w$GLY&QifNi6Y+%JR*>k*kioQI|re@tT>j_m695hagNPXq;(2e2Tjq=@H$6Mb`IRc2iq_Zaq#~i$2a`(UP8GM9uS z9oPQs`=qpT=czdU*8sj;*WYUoc=!g9+YPtbmzQp2M|UDh=(7_@ zv&%cnSB=A?0*8zOvtZ(rx-zE+CY0>=T=5$dtZ=F~u8g2>(s_jGijMJ^>EkL8OZ?@xkjP`uz*)wzpT$4N`5PvVRIN`gCx!Ik zyV^%5aE+&4-J<4*JmD%_7xoFbb^J7`@wh#23(K&VDJSbxu{eG>mQ2Zk;f1|dxIbDe?S%Q5s6=n17A~s^PnBXG&1QTG z5<>4Ei#9jjYR)P2(Q;?cIvZMaw(4N});HtcSwFOH(STIxx2?QoUdDo3cOvF^DgBSv z*%wS|^%q{2nQV7kKyk+Tt%sr?y4v3lMew_Drmn_=YqxC9@9|0jW@v94>mRM+Tjl=x zT+5r?OP{qPDj%OXeO}p*?F#p(z0lTvqoJ6Btb2HeTq>i~1Y>%4U;saZEO~HkPpxcH zAZ(CJ+-3x49)CYp-Qk-=!7$EH?NjjHsYHxc@%iB(eXc?m*qD%&3tEIMf{eeso10Tq zW1_4-M~WQ6Yf>gjUZ)rjyHdlBRuA8CSeiFhUcyfucZ(S+jswe|(9djfWjZlFo5|+M z*)3bbYPYZEecXa9z7-l!dVN^1d;U_>Fw2h+l9*e~-52YgL=AhTLpyE76ndX9h5qR! z-Px%Wa|{saN#~^(DnRDC@QF&6ik6%8lIo${kzwIerF3am8PZSZeWzliKKTzZ`1gv! zu{yo*-B^(?@O|HQRQuT2@7{;K4XwqA40Ofl(9;*7=z2#TVMu@a(_cUp9-8ss19kbz z!{uJlr?>~Au)II62a6&lZJZ?wukTY;u3$wXqO@uWR|4Yx-Z)xP&cNJ?%ri&pG9H_! z*x|l~r~HaT*H3=x{{6F(ewq()_8>BEnANW;{HrV?DF2~2a#VOUBVmj8Lm6t_WHeKw)HVbMYv5SPAN*T zYWKy7t{}i&c+vB`)8_Z*kYRA!uY;I`#p^8WiCX5SGl5gX#<82R$oL_XRpDif)fPT? z&0&SMQ!I_LS{rfHjd?w5a_&~5O71G7nM6|NBgWy=j(>zq%QkUq`aArQkkw4Qcn^D( z{Lp>ap`GA?UJpx}1#zjeRgUist@jvEHwot2?ej9^D#WKOEl6ZStXHY(Z%_w1gMR-A zs<6gn4^`*(c@qoCtj%%EIucBm2FIH4O|iz#lKVQkDqk*6%y_;GbyOyaDC}t$R!#lu z@;HaKLX?leP-$nSSK7T=4sl2VS69`A$AmNOdiw?6O~z++s(I)hR6owe+A%dF0*!HC zdzz-Xx{$y3_Q`%*hJ36vq5aZcQ`5qy3hJt3id8{=Im(Tr!|&KRcPF1x=wnL~oh_L2 zuWrh&e!%B^2FkWv@LoHllK`tlNzi_Xi*%N2ild^Uf!5BHqabZ&KEuk~VC9OGH)yIo zb~l36DO88Bw7YZ@ah0P!tm@UgN%(O&I~&f)Ro?ba#`4by*}d*tGzV*LQS74OnOABj z5Qp7ydODrY37>lc_P<;H@QEe%(2&RJO}kUyB=VqB?e4o?=8KP!5<4>qpwNICUxX`b z+Z+4BIr$5A>tQV6_U*~8(&&zu_lX-ude5C{rKy?pkE4-|+qEkl)=G2_+T6%NX$Rwt z?>rSC>LR_mFlUk4<=(k?MkeL^gG(p6yxz-pt6nP*B?{n&rOEv~xa6qGl8Z4iFScA7 z&38xbpwr%#uf3RLbMLK}c-fbi@n-343kMWP;tIowP3zW^#rdgb-S?v1yL#g2Hv(2e zx5)wjdin-WTurL zDrBNPzGk{$4hhF5%=o_NJuoIVHBEZ3dC>#~$C}Py3&ZwyI%E4yO%X73Q|Q_i+REDM z&zvlCnFl9!a!9`&8G>-^dopkTnf4|RX)_dfUOu)fBer7Tc&(OhAO%F8d`Um=_A1TV z{4g@|?@-${Xh+9|-8$B~jj46@5bQAn6G_7?elFN;-*{jBnB|6j29ajWWCl`Pe&<0@ z?Gu`N?g@R)p}Wq0Vh;AypXU`Bq{pk_Wk$xMwMSs+1ZmRlqc^+9Hm+qTA;6;fh?whF z8=wt+Oulz?cjG6+|NT28_|g9o{R_o%@g2Zd~l*`8GMCfbvV+K+5m0uF=t=n@?pxACU z=fPqejP@I5U8dtVN+UX7e6K`-3;m~mVyLwXmnIHWW$N3%S%heMu+rXNSQt= zzpdD*yQIbv%On`!L(SjYEj0_67FT+Og|gZ(Uic0@3Nj^*jt+2`kg)o=XLrkUJ8Wpb z3nx~6p89fpbv1(Swzp7_(O3w9euMZFz3}#SjY8FGc!tjtJsriDOJ`+4Zhdsyp6x7o z%5k{J=72mLOEo_y;CjQC@~cK~dDg?@*i}g)P+7gXX;+}e9wCc;iig=FT=6RHVvj$o z;Ac-YQeH~9gX~T zf3*wM<=TaQ5}^TJhO_0obxL}XyUcHBh5q-v8pGzQyI_M} z59Q49VaeWyY$&4annd~qx<%%t_Z@F86x)LWhXc*W!bI900HfD;FaK1_diAd1mNN>C z3Edhtp>1>hnL5ky^$r6spm!7y-#tDkfFSQLe#4=u2FUqrU)8QqeQ%Vz-u^*x30?D0 z3%R3;4S^OR;e%3jobd61hm5uM@_&g@gQPs1#rlO0B*@+tg=zU45iBJdPS)&H2!pkO z8+3@n3O?X~xG*_bbJwG15rsj|7nLKm4s~L8BR6PWZ-a7l>)lCy^Jrp67FXK4>aI|Dm$_ ztB)j&zOz1986Um*d?mf_)-``#YA5S?NG+wzgm}P-$dJy@TKSNaA;3jD)L6AWk_04! zat`i8DAd5L5(}vHM70ad;yXa{R?fi#h;$xwkKRVswF_&N`(aofW)ajfg(HII`{%7wP@>_Ue9{H?NkO_6vmV+@o;i%%DmYlcVXv<{@urW|Qx9zX zDH}@*VdY`6$1p7hC9Zz`#yez(T zxRf=fZlgEVg$6$cP-)({y^EiAuHa9_tnrSVk^rR&%X4MUulkUAm~<;1_beDIy9(st`Mkm8<{#*mi1HmXQ{{xmtp#KwhRgG4 z9u5|0*p408IcXHZ#%YssFe|*8ltSQ!V-I_Oc!jO_s*$b(ZP^}k8PVnVz;hXXAJ+8* zv-fpXE0ki{y6v1}AidyxL?!NNAf9tLN~|1f{Zh zMos-5H@Yb)btBten8?q`y6~(9BYC5`RbgS!*H zFk*^E)x;2hsEZip3WG%#T_mt^?y{9oXmg2P_%akItT`_t@k5uBwe9(axPi{1*VGd3 z@|OO$CGj{i3V6yTvGJs!CAp*CR*IWEqOo)){xWuuf%ecjbsg*^HFD}OyEi_%<<{2P zTjcDqSe%xfRr6@tL(E4cs7l}X@Q8p`5O|gKbES60phzX=`7S>iVB14vCqOLL!+nDC zA!)zUCaN8QRB3><%c*0(d&_;|?uMBuG?YI_G>r^{f!QkC zv2R$LiM#b^Y*);cYyKt^YYD(e5}?m%`jf0r9VEMw_p>-{-aM8eLA3zbrc3=X7eZbW z%88t;<@1ymvd?!kB;nxjrTh?;iDLt?(4go4nAw@^gDg8R%ry@GqWzUQ4;SY!hHgUW zzjCCeKRet5rRVIzoX+{HeY|SSTY5Hr;_Dw=nA3rdv|T7`A-wM(HBuJUhS`dY2}fN1 zsWJ3m^LmR4%upJjKM!*x#+_e3qfjPK%edG4dn5P?=acTln3zH64xfXe1MQ^Ll#-~x?JShdILWXT^YJZN`u%o zrFMk{od((9k!|gd3TagK`5RN0O6WN}uT?$>*nkkP2G?iM^-0g-w{NU=deJBeI*pvVm#zDP zsnS|D&yG#GWL6|Ow|nf82{bP6kj=9m|_P#7xPib zj}1^a5c&{09?%HholAt9Kwsi(7TFV5pVmkK^>iB~Lix3d86=NT#1ymsPt3A6)HR{* zpCVX@)bWk_A*mpEZN(vgWx63h$YhUc6C#Um) { + await setup({ + rootDir: fileURLToPath(new URL('./fixtures/publicAssets', import.meta.url)), + }) + + it('does not set all-resources security headers when disabled in config', async () => { + const { headers } = await fetch('/icon.png') + expect(headers).toBeDefined() + + // Security headers that are always set on all resources + const rp = headers.get('referrer-policy') + const sts = headers.get('strict-transport-security') + const xcto = headers.get('x-content-type-options') + const xdo = headers.get('x-download-options') + const xfo = headers.get('x-frame-options') + const xpcdp = headers.get('x-permitted-cross-domain-policies') + const xxp = headers.get('x-xss-protection') + + expect(rp).toBeNull() + expect(sts).toBeNull() + expect(xcto).toBeNull() + expect(xdo).toBeNull() + expect(xfo).toBeNull() + expect(xpcdp).toBeNull() + expect(xxp).toBeNull() + }) + + it('sets security headers on routes when specified in routeRules', async () => { + const { headers } = await fetch('/test') + expect(headers).toBeDefined() + + // Security headers that are always set on all resources + const rp = headers.get('referrer-policy') + const sts = headers.get('strict-transport-security') + const xcto = headers.get('x-content-type-options') + const xdo = headers.get('x-download-options') + const xfo = headers.get('x-frame-options') + const xpcdp = headers.get('x-permitted-cross-domain-policies') + const xxp = headers.get('x-xss-protection') + + expect(rp).toBe('no-referrer') + expect(sts).toBe('max-age=15552000; includeSubDomains;') + expect(xcto).toBe('nosniff') + expect(xdo).toBe('noopen') + expect(xfo).toBe('SAMEORIGIN') + expect(xpcdp).toBe('none') + expect(xxp).toBe('0') + }) +})