Reference popups (provider-rendered: arXiv, Wikipedia, CrossRef, …)
get a glanceable layout: wider container (560px), larger title and
body type, and a full-width image banner under the source label.
Internal page previews and item-card popups (new/library pages) keep
the compact layout — the shared popup element toggles
.link-popup--rich per show based on the rendered content.
- arXiv: a new best-effort enrich step fetches the paper's LaTeXML
HTML rendition and pulls the first figure as a lead image. Enrich is
time-boxed (1.8s) so the metadata popup is never held hostage; late
results refresh the cache for the next hover. Figures letterbox with
object-fit: contain (plots must not crop); Wikipedia photos
cover-crop with an upper focal point. width/height attrs reserve
aspect ratio so positioning is stable before the image loads.
- Wikipedia thumbnails request 480px for the banner width.
- nginx: new ^~ /proxy/arxiv-html/ location backed by arxiv.org proper
(export.arxiv.org serves the Atom API but 429s the /html/ asset
tree); 404s cached 1d (the common no-HTML-rendition case). All four
proxy locations switched to ^~ — without it, static-assets.conf's
per-extension regex location outranks plain prefixes and serves a
local 404 for any proxied URL ending in an image extension, which is
exactly how the first figure fetch failed.
Installed and verified live: proxied page (200, 298KB), figure (200
image/png), API unchanged, no-rendition 404 path; the full client
resolution chain (relative src -> proxy path -> guard -> image)
validated against production.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
add_header is non-additive: any location declaring its own add_header
drops all server-context headers. archive.conf already re-included the
baseline for exactly this reason, but static-assets.conf (four cache
locations — including the JS/CSS responses where nosniff matters most)
and popup-proxy.conf (three proxy locations) did not. All seven now
re-include snippets/security-headers.conf.
Proxy locations additionally hide the upstream's own
STS/CSP/X-Frame-Options before re-adding ours: browsers honor only the
FIRST Strict-Transport-Security header (RFC 6797 §8.1), so arXiv's
max-age=300 passing through ahead of ours would have downgraded the
domain's cached HSTS policy on every popup fetch.
Server side (installed + verified live): security-headers.conf and
archive.conf wired into the vhost in vhost.conf.example's canonical
order; nginx-mod-brotli installed and loaded, so the .br sidecars
compress-assets.sh has always shipped are now actually served
(Content-Encoding: br verified). CSP remains Report-Only. Verified
headers on /, /css/*.css (baseline + Cache-Control together),
/archive/ (baseline + X-Robots-Tag), and /proxy/* (baseline +
X-Cache-Status, single STS).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The root cause of 'PDF/arXiv previews simply do not work' was twofold:
1. nginx/popup-proxy.conf was never installed on the VPS — every
/proxy/* request (arXiv, PubMed, Internet Archive) returned nginx's
default 404. Now installed (snippets + http{}-context cache/limit
zones in conf.d, included in the vhost, nginx -t verified, reloaded).
2. The snippet itself had a latent bug that only surfaced once
installed: with a VARIABLE upstream, a URI part on proxy_pass is
passed literally — every request hit the upstream's homepage
(archive.org HTML where JSON was expected, arXiv 429s, NCBI doc-page
redirects). Fixed with explicit prefix-strip rewrites; bad cached
responses purged. All three proxies verified returning real data,
including a live arXiv title resolve.
Client-side improvements:
- arXiv match covers old-style IDs (cs/9901002, math.GT/0309136,
cond-mat/...v1) alongside new-style, and .pdf-suffixed /pdf/ URLs
(regex verified against six forms)
- Wikipedia popups show the article's lead image: pageimages rides
along the existing extracts call (pithumbsize=320), rendered via a
new https-only image slot in renderPopup with float styling;
upload.wikimedia.org added to the CSP's img-src
- pdf-thumbs now walks all of static/ (pdfjs pruned), so /cv.pdf and
/resume.pdf — the most-linked internal PDFs, previously thumbnail-less
and therefore popup-less — get hover previews
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Levi Neuwirth