From 74dca6edca701ea9d9ba2b7fd787a6f442e52bc2 Mon Sep 17 00:00:00 2001 From: HeavenVR Date: Thu, 18 Jun 2026 12:27:43 +0200 Subject: [PATCH 1/4] chore(security): use isTruthy for telemetry env flags and add rel=noopener - Telemetry kill-switch (PUBLIC_SIGNOZ_LOGS_ENABLED) and trace propagation flag now use isTruthy() instead of strict === 'true' comparison, matching the project convention for env-var booleans. - Add rel=noopener noreferrer to external target=_blank links on the login page and serial terminal help dialog. --- src/lib/telemetry/common.ts | 3 ++- src/lib/telemetry/tracer.ts | 3 ++- src/routes/(auth)/login/+page.svelte | 11 ++++++++--- src/routes/terminal/HelpDialog.svelte | 8 +++++++- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/lib/telemetry/common.ts b/src/lib/telemetry/common.ts index 7abcb132..2f08cf4b 100644 --- a/src/lib/telemetry/common.ts +++ b/src/lib/telemetry/common.ts @@ -8,6 +8,7 @@ import { PUBLIC_SIGNOZ_TRACES_URL, } from '$env/static/public'; import { telemetryConsent, type TelemetryLevel } from '$lib/state/telemetry-consent-state.svelte'; +import { isTruthy } from '$lib/utils/parse'; import { resourceFromAttributes } from '@opentelemetry/resources'; export const SERVICE_NAME = 'openshock-frontend'; @@ -79,7 +80,7 @@ export function telemetryLevel(): TelemetryLevel { if (typeof window === 'undefined') return 'off'; // Deployment kill-switch: only ship from a deployment with a configured collector. - if (PUBLIC_SIGNOZ_LOGS_ENABLED !== 'true') return 'off'; + if (!isTruthy(PUBLIC_SIGNOZ_LOGS_ENABLED)) return 'off'; // Opt-in: respect the user's chosen consent level. return telemetryConsent.value; diff --git a/src/lib/telemetry/tracer.ts b/src/lib/telemetry/tracer.ts index 6b157030..50cb1cc3 100644 --- a/src/lib/telemetry/tracer.ts +++ b/src/lib/telemetry/tracer.ts @@ -1,4 +1,5 @@ import { PUBLIC_SIGNOZ_TRACE_PROPAGATION } from '$env/static/public'; +import { isTruthy } from '$lib/utils/parse'; import { OTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-http'; import { registerInstrumentations } from '@opentelemetry/instrumentation'; import { FetchInstrumentation } from '@opentelemetry/instrumentation-fetch'; @@ -38,7 +39,7 @@ export function initTracing(): void { // Distributed tracing: attach `traceparent`/`tracestate` to API requests so the backend can // continue the trace. Cross-origin, so the backend's CORS must allow those request headers — // off by default to avoid breaking API calls before the backend is ready. - const propagateToBackend = PUBLIC_SIGNOZ_TRACE_PROPAGATION === 'true'; + const propagateToBackend = isTruthy(PUBLIC_SIGNOZ_TRACE_PROPAGATION); registerInstrumentations({ instrumentations: [ diff --git a/src/routes/(auth)/login/+page.svelte b/src/routes/(auth)/login/+page.svelte index 4c8dcc53..981f64f0 100644 --- a/src/routes/(auth)/login/+page.svelte +++ b/src/routes/(auth)/login/+page.svelte @@ -150,8 +150,13 @@ - By clicking Login, you agree to our Terms of ServiceTerms of Service - and Privacy Policy. + and + Privacy Policy. diff --git a/src/routes/terminal/HelpDialog.svelte b/src/routes/terminal/HelpDialog.svelte index bc5eab5a..4ee9526c 100644 --- a/src/routes/terminal/HelpDialog.svelte +++ b/src/routes/terminal/HelpDialog.svelte @@ -74,6 +74,7 @@ From 9a91fcbc464586ea0a643fe5ca3070588bc1f1aa Mon Sep 17 00:00:00 2001 From: HeavenVR Date: Thu, 18 Jun 2026 17:32:19 +0200 Subject: [PATCH 2/4] oops --- src/lib/components/Turnstile.svelte | 2 +- src/routes/(auth)/login/+page.svelte | 4 ++-- src/routes/Footer.svelte | 4 +--- src/routes/WelcomeScreen.svelte | 2 +- src/routes/terminal/HelpDialog.svelte | 2 +- 5 files changed, 6 insertions(+), 8 deletions(-) diff --git a/src/lib/components/Turnstile.svelte b/src/lib/components/Turnstile.svelte index 6f66f909..a9eb29ea 100644 --- a/src/lib/components/Turnstile.svelte +++ b/src/lib/components/Turnstile.svelte @@ -92,7 +92,7 @@ class="mb-auto ml-auto h-7 w-auto text-[#666] dark:text-[#999]" href="https://www.cloudflare.com/products/turnstile/?utm_source=turnstile&utm_campaign=widget" target="_blank" - rel="noreferrer" + rel="noopener" > diff --git a/src/routes/(auth)/login/+page.svelte b/src/routes/(auth)/login/+page.svelte index 981f64f0..97b3082c 100644 --- a/src/routes/(auth)/login/+page.svelte +++ b/src/routes/(auth)/login/+page.svelte @@ -153,10 +153,10 @@ By clicking Login, you agree to our Terms of ServiceTerms of Service and - Privacy Policy. diff --git a/src/routes/Footer.svelte b/src/routes/Footer.svelte index b5014df1..7c7ea1d4 100644 --- a/src/routes/Footer.svelte +++ b/src/routes/Footer.svelte @@ -17,9 +17,7 @@ Made with by the - - OpenShock Team + OpenShock Team
diff --git a/src/routes/WelcomeScreen.svelte b/src/routes/WelcomeScreen.svelte index 2b7303c9..f9273c6f 100644 --- a/src/routes/WelcomeScreen.svelte +++ b/src/routes/WelcomeScreen.svelte @@ -326,7 +326,7 @@
CP210x Universal Windows Driver From c6c36cc932242abf66e0a1f7f647b9138d15ece1 Mon Sep 17 00:00:00 2001 From: HeavenVR Date: Thu, 18 Jun 2026 17:53:43 +0200 Subject: [PATCH 3/4] a --- src/routes/(auth)/login/+page.svelte | 11 +++-------- src/routes/Footer.svelte | 2 +- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/src/routes/(auth)/login/+page.svelte b/src/routes/(auth)/login/+page.svelte index 97b3082c..ad2d123b 100644 --- a/src/routes/(auth)/login/+page.svelte +++ b/src/routes/(auth)/login/+page.svelte @@ -150,13 +150,8 @@ - By clicking Login, you agree to our Terms of Service + By clicking Login, you agree to our + Terms of Service and - Privacy Policy. + Privacy Policy. diff --git a/src/routes/Footer.svelte b/src/routes/Footer.svelte index 7c7ea1d4..c3594229 100644 --- a/src/routes/Footer.svelte +++ b/src/routes/Footer.svelte @@ -17,7 +17,7 @@ Made with by the - OpenShock Team + OpenShock Team
From f6570ec6ebb01e97fdc16032503082e49a0661ff Mon Sep 17 00:00:00 2001 From: HeavenVR Date: Thu, 18 Jun 2026 18:38:44 +0200 Subject: [PATCH 4/4] a --- src/lib/components/Turnstile.svelte | 2 +- src/routes/terminal/HelpDialog.svelte | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/src/lib/components/Turnstile.svelte b/src/lib/components/Turnstile.svelte index a9eb29ea..4e716cb9 100644 --- a/src/lib/components/Turnstile.svelte +++ b/src/lib/components/Turnstile.svelte @@ -92,7 +92,7 @@ class="mb-auto ml-auto h-7 w-auto text-[#666] dark:text-[#999]" href="https://www.cloudflare.com/products/turnstile/?utm_source=turnstile&utm_campaign=widget" target="_blank" - rel="noopener" + rel="noopener noreferrer" > diff --git a/src/routes/terminal/HelpDialog.svelte b/src/routes/terminal/HelpDialog.svelte index 4e9f62af..1a70546f 100644 --- a/src/routes/terminal/HelpDialog.svelte +++ b/src/routes/terminal/HelpDialog.svelte @@ -129,12 +129,7 @@
  • what you've already tried from the previous steps
  • any error messages or relevant terminal output
    • -