From 3076d334203d6a9aad545496b9390f6521c9cfce Mon Sep 17 00:00:00 2001
From: Kimberly
Date: Thu, 2 Feb 2017 02:39:52 -0500
Subject: [PATCH] Security Headers
---
BrowserCache_ConfigLabels.php | 33 +++-
BrowserCache_Environment.php | 179 ++++++++++++++++++-
ConfigKeys.php | 132 +++++++++++++-
inc/options/browsercache.php | 322 +++++++++++++++++++++++++++++++++-
inc/options/common/header.php | 3 +-
pub/css/options.css | 12 ++
pub/img/cspref.png | Bin 0 -> 48720 bytes
pub/js/options.js | 69 ++++++++
8 files changed, 729 insertions(+), 21 deletions(-)
create mode 100644 pub/img/cspref.png
diff --git a/BrowserCache_ConfigLabels.php b/BrowserCache_ConfigLabels.php
index 7e36755..6d9e326 100644
--- a/BrowserCache_ConfigLabels.php
+++ b/BrowserCache_ConfigLabels.php
@@ -35,7 +35,38 @@ public function config_labels( $config_labels ) {
'browsercache.other.w3tc' => __( 'Set W3 Total Cache header', 'w3-total-cache' ),
'browsercache.other.compression' => __( 'Enable HTTP (gzip) compression', 'w3-total-cache' ),
'browsercache.other.replace' => __( 'Prevent caching of objects after settings change', 'w3-total-cache' ),
- 'browsercache.other.nocookies' => __( 'Disable cookies for static files', 'w3-total-cache' )
+ 'browsercache.other.nocookies' => __( 'Disable cookies for static files', 'w3-total-cache' ),
+ 'browsercache.security.session.cookie_httponly' => __( 'Access session cookies through the HTTP protocol only', 'w3-total-cache' ),
+ 'browsercache.security.session.cookie_secure' => __( 'Send session cookies only to secure connections', 'w3-total-cache' ),
+ 'browsercache.security.session.use_only_cookies' => __( 'Use cookies to store session IDs in the user\'s browser', 'w3-total-cache' ),
+ 'browsercache.security.hsts' => __( 'HTTP Strict Transport Security policy', 'w3-total-cache' ),
+ 'browsercache.security.hsts.directive' => __( 'Directive:', 'w3-total-cache' ),
+ 'browsercache.security.xfo' => __( 'X-Frame-Options', 'w3-total-cache' ),
+ 'browsercache.security.xfo.directive' => __( 'Directive:', 'w3-total-cache' ),
+ 'browsercache.security.xss' => __( 'X-XSS-Protection', 'w3-total-cache' ),
+ 'browsercache.security.xss.directive' => __( 'Directive:', 'w3-total-cache' ),
+ 'browsercache.security.xcto' => __( 'X-Content-Type-Options', 'w3-total-cache' ),
+ 'browsercache.security.pkp' => __( 'HTTP Public Key Pinning', 'w3-total-cache' ),
+ 'browsercache.security.pkp.pin' => __( 'Public Key:', 'w3-total-cache' ),
+ 'browsercache.security.pkp.pin.backup' => __( 'Public Key (Backup):', 'w3-total-cache' ),
+ 'browsercache.security.pkp.extra' => __( 'Extra Parameters:', 'w3-total-cache' ),
+ 'browsercache.security.pkp.report.url' => __( 'Report URL:', 'w3-total-cache' ),
+ 'browsercache.security.pkp.report.only' => __( 'Report Mode Only:', 'w3-total-cache' ),
+ 'browsercache.security.csp' => __( 'Content Security Policy', 'w3-total-cache' ),
+ 'browsercache.security.csp.base' => __( 'base-uri:', 'w3-total-cache' ),
+ 'browsercache.security.csp.frame' => __( 'frame-src:', 'w3-total-cache' ),
+ 'browsercache.security.csp.connect' => __( 'connect-src:', 'w3-total-cache' ),
+ 'browsercache.security.csp.font' => __( 'font-src:', 'w3-total-cache' ),
+ 'browsercache.security.csp.script' => __( 'script-src:', 'w3-total-cache' ),
+ 'browsercache.security.csp.style' => __( 'style-src:', 'w3-total-cache' ),
+ 'browsercache.security.csp.img' => __( 'img-src:', 'w3-total-cache' ),
+ 'browsercache.security.csp.media' => __( 'media-src:', 'w3-total-cache' ),
+ 'browsercache.security.csp.object' => __( 'object-src:', 'w3-total-cache' ),
+ 'browsercache.security.csp.plugin' => __( 'plugin-types:', 'w3-total-cache' ),
+ 'browsercache.security.csp.form' => __( 'form-action:', 'w3-total-cache' ),
+ 'browsercache.security.csp.frame.ancestors' => __( 'frame-ancestors:', 'w3-total-cache' ),
+ 'browsercache.security.csp.sandbox' => __( 'sandbox:', 'w3-total-cache' ),
+ 'browsercache.security.csp.default' => __( 'default-src:', 'w3-total-cache' )
) );
}
}
diff --git a/BrowserCache_Environment.php b/BrowserCache_Environment.php
index b11e381..4af0730 100644
--- a/BrowserCache_Environment.php
+++ b/BrowserCache_Environment.php
@@ -334,10 +334,97 @@ private function rules_cache_generate_apache( $config ) {
$rules .= $this->_rules_cache_generate_apache_for_type( $config,
$extensions, $type );
- if ( $config->get_boolean( 'browsercache.hsts' ) ) {
- $lifetime = $config->get_integer( 'browsercache.other.lifetime' );
+ $sec = " php_flag session.cookie_httponly " . ( $config->get_boolean( 'browsercache.security.session.cookie_httponly' ) ? "on" : "off" ) . "\n" .
+ " php_flag session.cookie_secure " . ( $config->get_boolean( 'browsercache.security.session.cookie_secure' ) ? "on" : "off" ) . "\n" .
+ " php_flag session.use_only_cookies " . ( $config->get_boolean( 'browsercache.security.session.use_only_cookies' ) ? "on" : "off" ) . "\n\n";
+
+ $rules .= "\n";
+ $rules .= $sec;
+ $rules .= "\n";
+ $rules .= $sec;
+ $rules .= "\n";
+ $rules .= $sec;
+
+ if ( $config->get_boolean( 'browsercache.security.hsts' ) ||
+ $config->get_boolean( 'browsercache.security.xfo' ) ||
+ $config->get_boolean( 'browsercache.security.xss' ) ||
+ $config->get_boolean( 'browsercache.security.xcto' ) ||
+ $config->get_boolean( 'browsercache.security.pkp' ) ||
+ $config->get_boolean( 'browsercache.security.csp' )
+ ) {
+ $lifetime = $config->get_integer( 'browsercache.other.lifetime' );
+
$rules .= "\n";
- $rules .= " Header set strict-transport-security \"max-age=$lifetime\"\n";
+
+ if ( $config->get_boolean( 'browsercache.security.hsts' ) ) {
+ $dir = $config->get_string( 'browsercache.security.hsts.directive' );
+ $rules .= " Header set Strict-Transport-Security \"max-age=$lifetime" . ( strpos( $dir,"inc" ) ? "; includeSubDomains" : "" ) . ( strpos( $dir, "pre" ) ? "; preload" : "" ) . "\"\n";
+ }
+
+ if ( $config->get_boolean( 'browsercache.security.xfo' ) ) {
+ $dir = $config->get_string( 'browsercache.security.xfo.directive' );
+ $url = trim( $config->get_string( 'browsercache.security.xfo.allow' ) );
+ if ( empty( $url ) ) {
+ $url = Util_Environment::home_url_maybe_https();
+ }
+ $rules .= " Header always append X-Frame-Options \"" . ( $dir == "same" ? "SAMEORIGIN" : ( $dir == "deny" ? "DENY" : "ALLOW-FROM $url" ) ) . "\"\n";
+ }
+
+ if ( $config->get_boolean( 'browsercache.security.xss' ) ) {
+ $dir = $config->get_string( 'browsercache.security.xss.directive' );
+ $rules .= " Header set X-XSS-Protection \"" . ( $dir == "block" ? "1; mode=block" : $dir ) . "\"\n";
+
+ }
+
+ if ( $config->get_boolean( 'browsercache.security.xcto' ) ) {
+ $rules .= " Header set X-Content-Type-Options \"nosniff\"\n";
+ }
+
+ if ( $config->get_boolean( 'browsercache.security.pkp' ) ) {
+ $pin = trim( $config->get_string( 'browsercache.security.pkp.pin' ) );
+ $pinbak = trim( $config->get_string( 'browsercache.security.pkp.pin.backup' ) );
+ $extra = $config->get_string( 'browsercache.security.pkp.extra' );
+ $url = trim( $config->get_string( 'browsercache.security.pkp.report.url' ) );
+ $rep_only = $config->get_string( 'browsercache.security.pkp.report.only' ) == '1' ? true : false;
+ $rules .= " Header set " . ( $rep_only ? "Public-Key-Pins-Report-Only" : "Public-Key-Pins" ) . " \"pin-sha256=\\\"$pin\\\"; pin-sha256=\\\"$pinbak\\\"; max-age=$lifetime" . ( strpos( $extra,"inc" ) ? "; includeSubDomains" : "" ) . ( !empty( $url ) ? "; report-uri=\\\"$url\\\"" : "" ) . "\"\n";
+ }
+
+ if ( $config->get_boolean( 'browsercache.security.csp' ) ) {
+ $base = trim( $config->get_string( 'browsercache.security.csp.base' ) );
+ $frame = trim( $config->get_string( 'browsercache.security.csp.frame' ) );
+ $connect = trim( $config->get_string( 'browsercache.security.csp.connect' ) );
+ $font = trim( $config->get_string( 'browsercache.security.csp.font' ) );
+ $script = trim( $config->get_string( 'browsercache.security.csp.script' ) );
+ $style = trim( $config->get_string( 'browsercache.security.csp.style' ) );
+ $img = trim( $config->get_string( 'browsercache.security.csp.img' ) );
+ $media = trim( $config->get_string( 'browsercache.security.csp.media' ) );
+ $object = trim( $config->get_string( 'browsercache.security.csp.object' ) );
+ $plugin = trim( $config->get_string( 'browsercache.security.csp.plugin' ) );
+ $form = trim( $config->get_string( 'browsercache.security.csp.form' ) );
+ $frame_ancestors = trim( $config->get_string( 'browsercache.security.csp.frame.ancestors' ) );
+ $sandbox = $config->get_string( 'browsercache.security.csp.sandbox' );
+ $default = trim( $config->get_string( 'browsercache.security.csp.default' ) );
+
+ $dir = rtrim( ( !empty( $base ) ? "base-uri $base; " : "" ).
+ ( !empty( $frame ) ? "frame-src $frame; " : "" ).
+ ( !empty( $connect ) ? "connect-src $connect; " : "" ).
+ ( !empty( $font ) ? "font-src $font; " : "" ).
+ ( !empty( $script ) ? "script-src $script; " : "" ).
+ ( !empty( $style ) ? "style-src $style; " : "" ).
+ ( !empty( $img ) ? "img-src $img; " : "" ).
+ ( !empty( $media ) ? "media-src $media; " : "" ).
+ ( !empty( $object ) ? "object-src $object; " : "" ).
+ ( !empty( $plugin ) ? "plugin-types $plugin; " : "" ).
+ ( !empty( $form ) ? "form-action $form; " : "" ).
+ ( !empty( $frame_ancestors ) ? "frame-ancestors $frame_ancestors; " : "" ).
+ ( !empty( $sandbox ) ? "sandbox " . trim( $sandbox ) . "; " : "" ).
+ ( !empty( $default ) ? "default-src $default;" : "" ), "; " );
+
+ if ( !empty( $dir ) ) {
+ $rules .= " Header set Content-Security-Policy \"$dir\"\n";
+ }
+ }
+
$rules .= "\n";
}
@@ -561,10 +648,88 @@ private function rules_cache_generate_nginx( $config, $cdnftp = false ) {
$this->_rules_cache_generate_nginx_for_type( $config, $rules,
$extensions, $type );
- if ( $config->get_boolean( 'browsercache.hsts' ) ) {
- $lifetime = $config->get_integer( 'browsercache.other.lifetime' );
- $rules .= "add_header strict-transport-security \"max-age=$lifetime\";\n";
- }
+ $rules .= "fastcgi_param PHP_FLAG \"session.cookie_httponly=" . ( $config->get_boolean( 'browsercache.security.session.cookie_httponly' ) ? "on" : "off" ) . "\n" .
+ "session.cookie_secure=" . ( $config->get_boolean( 'browsercache.security.session.cookie_secure' ) ? "on" : "off" ) . "\n" .
+ "session.use_only_cookies=" . ( $config->get_boolean( 'browsercache.security.session.use_only_cookies' ) ? "on" : "off" ) . "\";";
+
+ if ( $config->get_boolean( 'browsercache.security.hsts' ) ||
+ $config->get_boolean( 'browsercache.security.xfo' ) ||
+ $config->get_boolean( 'browsercache.security.xss' ) ||
+ $config->get_boolean( 'browsercache.security.xcto' ) ||
+ $config->get_boolean( 'browsercache.security.pkp' ) ||
+ $config->get_boolean( 'browsercache.security.csp' )
+ ) {
+ $lifetime = $config->get_integer( 'browsercache.other.lifetime' );
+
+ if ( $config->get_boolean( 'browsercache.security.hsts' ) ) {
+ $dir = $config->get_string( 'browsercache.security.hsts.directive' );
+ $rules .= "add_header Strict-Transport-Security \"max-age=$lifetime" . ( strpos( $dir,"inc" ) ? "; includeSubDomains" : "" ) . ( strpos( $dir, "pre" ) ? "; preload" : "" ) . "\";\n";
+ }
+
+ if ( $config->get_boolean( 'browsercache.security.xfo' ) ) {
+ $dir = $config->get_string( 'browsercache.security.xfo.directive' );
+ $url = trim( $config->get_string( 'browsercache.security.xfo.allow' ) );
+ if ( empty( $url ) ) {
+ $url = Util_Environment::home_url_maybe_https();
+ }
+ $rules .= "add_header X-Frame-Options \"" . ( $dir == "same" ? "SAMEORIGIN" : ( $dir == "deny" ? "DENY" : "ALLOW-FROM $url" ) ) . "\";\n";
+ }
+
+ if ( $config->get_boolean( 'browsercache.security.xss' ) ) {
+ $dir = $config->get_string( 'browsercache.security.xss.directive' );
+ $rules .= "add_header X-XSS-Protection \"" . ( $dir == "block" ? "1; mode=block" : $dir ) . "\";\n";
+
+ }
+
+ if ( $config->get_boolean( 'browsercache.security.xcto' ) ) {
+ $rules .= "add_header X-Content-Type-Options \"nosniff\";\n";
+ }
+
+ if ( $config->get_boolean( 'browsercache.security.pkp' ) ) {
+ $pin = trim( $config->get_string( 'browsercache.security.pkp.pin' ) );
+ $pinbak = trim( $config->get_string( 'browsercache.security.pkp.pin.backup' ) );
+ $extra = $config->get_string( 'browsercache.security.pkp.extra' );
+ $url = trim( $config->get_string( 'browsercache.security.pkp.report.url' ) );
+ $rep_only = $config->get_string( 'browsercache.security.pkp.report.only' ) == '1' ? true : false;
+ $rules .= "add_header " . ( $rep_only ? "Public-Key-Pins-Report-Only" : "Public-Key-Pins" ) . " 'pin-sha256=\"$pin\"; pin-sha256=\"$pinbak\"; max-age=$lifetime" . ( strpos( $extra,"inc" ) ? "; includeSubDomains" : "" ) . ( !empty( $url ) ? "; report-uri=\"$url\"" : "" ) . "';\n";
+ }
+
+ if ( $config->get_boolean( 'browsercache.security.csp' ) ) {
+ $base = trim( $config->get_string( 'browsercache.security.csp.base' ) );
+ $frame = trim( $config->get_string( 'browsercache.security.csp.frame' ) );
+ $connect = trim( $config->get_string( 'browsercache.security.csp.connect' ) );
+ $font = trim( $config->get_string( 'browsercache.security.csp.font' ) );
+ $script = trim( $config->get_string( 'browsercache.security.csp.script' ) );
+ $style = trim( $config->get_string( 'browsercache.security.csp.style' ) );
+ $img = trim( $config->get_string( 'browsercache.security.csp.img' ) );
+ $media = trim( $config->get_string( 'browsercache.security.csp.media' ) );
+ $object = trim( $config->get_string( 'browsercache.security.csp.object' ) );
+ $plugin = trim( $config->get_string( 'browsercache.security.csp.plugin' ) );
+ $form = trim( $config->get_string( 'browsercache.security.csp.form' ) );
+ $frame_ancestors = trim( $config->get_string( 'browsercache.security.csp.frame.ancestors' ) );
+ $sandbox = $config->get_string( 'browsercache.security.csp.sandbox' );
+ $default = trim( $config->get_string( 'browsercache.security.csp.default' ) );
+
+ $dir = rtrim( ( !empty( $base ) ? "base-uri $base; " : "" ).
+ ( !empty( $frame ) ? "frame-src $frame; " : "" ).
+ ( !empty( $connect ) ? "connect-src $connect; " : "" ).
+ ( !empty( $font ) ? "font-src $font; " : "" ).
+ ( !empty( $script ) ? "script-src $script; " : "" ).
+ ( !empty( $style ) ? "style-src $style; " : "" ).
+ ( !empty( $img ) ? "img-src $img; " : "" ).
+ ( !empty( $media ) ? "media-src $media; " : "" ).
+ ( !empty( $object ) ? "object-src $object; " : "" ).
+ ( !empty( $plugin ) ? "plugin-types $plugin; " : "" ).
+ ( !empty( $form ) ? "form-action $form; " : "" ).
+ ( !empty( $frame_ancestors ) ? "frame-ancestors $frame_ancestors; " : "" ).
+ ( !empty( $sandbox ) ? "sandbox " . trim( $sandbox ) . "; " : "" ).
+ ( !empty( $default ) ? "default-src $default;" : "" ), "; " );
+
+ if ( !empty( $dir ) ) {
+ $rules .= "add_header Content-Security-Policy \"$dir\";\n";
+ }
+ }
+ }
$rules .= W3TC_MARKER_END_BROWSERCACHE_CACHE . "\n";
diff --git a/ConfigKeys.php b/ConfigKeys.php
index 0c11f81..e67288d 100644
--- a/ConfigKeys.php
+++ b/ConfigKeys.php
@@ -1439,10 +1439,6 @@
'type' => 'boolean',
'default' => false
),
- 'browsercache.hsts' => array(
- 'type' => 'boolean',
- 'default' => false
- ),
'browsercache.no404wp' => array(
'type' => 'boolean',
'default' => false
@@ -1566,6 +1562,134 @@
'type' => 'boolean',
'default' => false
),
+ 'browsercache.security.session.cookie_httponly' => array(
+ 'type' => 'boolean',
+ 'default' => false
+ ),
+ 'browsercache.security.session.cookie_secure' => array(
+ 'type' => 'boolean',
+ 'default' => false
+ ),
+ 'browsercache.security.session.use_only_cookies' => array(
+ 'type' => 'boolean',
+ 'default' => true
+ ),
+ 'browsercache.security.hsts' => array(
+ 'type' => 'boolean',
+ 'default' => false
+ ),
+ 'browsercache.security.hsts.directive' => array(
+ 'type' => 'string',
+ 'default' => 'maxage'
+ ),
+ 'browsercache.security.xfo' => array(
+ 'type' => 'boolean',
+ 'default' => false
+ ),
+ 'browsercache.security.xfo.directive' => array(
+ 'type' => 'string',
+ 'default' => 'same'
+ ),
+ 'browsercache.security.xfo.allow' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.xss' => array(
+ 'type' => 'boolean',
+ 'default' => false
+ ),
+ 'browsercache.security.xss.directive' => array(
+ 'type' => 'string',
+ 'default' => 'block'
+ ),
+ 'browsercache.security.xcto' => array(
+ 'type' => 'boolean',
+ 'default' => false
+ ),
+ 'browsercache.security.pkp' => array(
+ 'type' => 'boolean',
+ 'default' => false
+ ),
+ 'browsercache.security.pkp.pin' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.pkp.pin.backup' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.pkp.extra' => array(
+ 'type' => 'string',
+ 'default' => 'maxage'
+ ),
+ 'browsercache.security.pkp.report.url' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.pkp.report.only' => array(
+ 'type' => 'string',
+ 'default' => '0'
+ ),
+ 'browsercache.security.csp' => array(
+ 'type' => 'boolean',
+ 'default' => false
+ ),
+ 'browsercache.security.csp.base' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.frame' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.connect' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.font' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.script' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.style' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.img' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.media' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.object' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.plugin' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.form' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.frame.ancestors' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.sandbox' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
+ 'browsercache.security.csp.default' => array(
+ 'type' => 'string',
+ 'default' => ''
+ ),
'browsercache.other.replace' => array(
'type' => 'boolean',
'default' => false
diff --git a/inc/options/browsercache.php b/inc/options/browsercache.php
index 9eaa454..a81a54a 100644
--- a/inc/options/browsercache.php
+++ b/inc/options/browsercache.php
@@ -126,14 +126,6 @@
'description' => __( 'Generate unique URI for each file protected from caching by browser.', 'w3-total-cache' ),
'style' => '2'
) );
-Util_Ui::config_item( array(
- 'key' => 'browsercache.hsts',
- 'disabled' => Util_Ui::sealing_disabled( 'browsercache.' ),
- 'control' => 'checkbox',
- 'checkbox_label' => __( 'Apply HTTP Strict Transport Security policy', 'w3-total-cache' ),
- 'description' => __( 'Set the HSTS header to maximize SSL security.', 'w3-total-cache' ),
- 'style' => '2'
- ) );
?>
@@ -386,6 +378,320 @@
+
+
+
+
+
+
+
diff --git a/inc/options/common/header.php b/inc/options/common/header.php
index 6745298..d68412c 100644
--- a/inc/options/common/header.php
+++ b/inc/options/common/header.php
@@ -123,7 +123,8 @@
|
CSS & JS', 'w3-total-cache' ); ?> |
HTML & XML', 'w3-total-cache' ); ?> |
-
+ |
+
p9a}
z*%ALcg0PXDfvuUfy&1@g;AKQTeUO7aFA-GIzaPQU`ag!XvioP5pbJLttY=NnNXPK<
zNdGpJk@=sST3Y@`Ydd>IqyHoCe>t$7vWvA5y`qsF$idbCx^c$DFH>1_3E3Ly*@JAA
zK_H8NS5e*+WDl}41z8ga3H`Nd1QY->D?^Zz9pztrWMsG`tnBRdtPG4Kgn5aeqtKa|
z8FI0Saxw|9F))a52(d6Sim(X^a4?AovI;P>hkeGUIRSy)9y|J%OwP+{m_
zHupbm_Pe#agawqH=MPg+rBi2Io>v~%
zCv7%3M5Aa2=jd)=->Ane)n}#l!q#<=3QF5Gju)qyl_jvo%PX)oe340m?+YPIimz$>
z6g`p4h8Yit1D`4T_E>a(8?2Z{&@LYMsZUo%Qc*^vMP4A&)YrPxwDV-Qe8UUvX%7~HLk;^joz9}sNnSLVGIDPb
z)p}pldOzaS(#g+%-bbv3UShJw!No;&{dx@ha_9MR^!apj1#(^652$m5f%y>rJ*N&j
zE;8HY3CQyTdj?QlU7bFrzH^p_BXpjs;ak=5_}Fw%6yb4bkc}p;TypoNT$xya_hKtS
zH&1(aj|#x|yq&KG=EJPdZ$h0D*X#V~sx*IrM*Cj0o<<_i{g3Ztm{xPQugP=0}fDNZ8}L
zzZ>;xK`Yz}B2T-$?d2cgPl%7Nsj5ohabc2c8e3e{QdTB;+8<_LAxTVj2#7R)+y}H$
zNs6Krn2%4(hrx7woQ3sM&SKBq^0V3^89VQ?z>1LQJ0HCxHW3kLiL_r$&uV!eBr1tN
zMNzRWB*_x5X+C3y9N-ED%h;ql!Wyxawm_Zk5YW*oW*y1LI9s2+XKEQ$)ccLM+&=QY1{
z$YtIfm4+6Vv{tigwKp9ynu{FY-KH4-{g{P_1T_^^)BI(W7+yy1-BhWk-`a~nLci-g
z+b1l4vS7{xwmxpr@AXIueMG(6?3`yp!Th3l2>!BJ#V{~RUVm$1X-OM|YW{gVYm!LW
zLs4qd`oJ)H-Ye%j-@D!ywVbBMG{?QCxt42TVTM1z-AfwYDjX<2z1@g-KEr>u>5GwQ
z=eZbSK54p;tyvGx7N`ZSKptA3ADoUC2`%mK&bNLxa*1<9pW}V~+Q&l;@V-cYzDutc
zjp)`lqkno0(_tecfF``?($?E5l|ZMS5w$Ww*xXTTny>#g)|a2uw=|lDj&55HE`w1T
z%cwrPlmBF9O)-dREjV&CsK}P!Y%{tn_Rm0Mksc^I!J$u_Z}T*Wr)8seMUdLrPBg%l
z0MP|EVpkmZ03k4#?93M;vw@Zxi(UJpsohCC65jn9!>)ex0C*Sk+x7`g0qnb|piB`*
zVHJk{#z;`=e&B!~431-~*QZ7&BoN
zO$`k#u@`L%3JSVec9Wa%F$ZI6j)&_$u47bk=skhB?z|cybEBR;{D-sUSyffakNc>Q
zRn!V191*LViHEJn+Jv(F%mK*A;w<(q8?p9f
zjg1S@g|Y9E0n=P;02G$KAhM|89}{)pkxn1pLK2ct(?>f>hA}~`*?jqdwa2@QarqdE
z>N`GD>XJfX1&4lm?}y`y0)^kMr;Mv}Ch0k!vf-L;SFtHoZ>-S?wbgf(-q=Vn-S|6^
zM^;Iix5?wL@Tk%I1E#J2c_Pp6%}^)ZbgVpRRq}H~?!;Ewee)_qqM_s?F9V
zv;R3G8^vE~WlB)77}1#@5Ic+R@UvcyXG
zS6p^dXLP-^ji^$k!3!-OjShz9=8_FRBrX}WUA00L&*ePNV-~6QW0tQoLESDF-Q6Ms
z>icv>dnJw-%sVP%osZg2d0zKZ4*6Y)iI{uz2q2T+F?)HkztBHBZxIlMzli`c
z{9Yq0G{0PF6VQ!f*t#ezwA*$3tr*4w-_jC>h>PW_Ey*s8+ufLffhAlp%_sHemRUv_
z)-QabR#iHL@3yGt^0xrjW|AzviLGhbjv%eMV8h4KE@Q;=R(o>!?|@5iMdW$nsJp+_
zSte2@-I{Ig%|~VG<^<9*&FFR(4kIUk%<7w>M7NTB=D;Pj28|g9hUO0iMRBFtjbvdd
zq%jia!U`f$OdoQ*^Jk&jiVPs*c0BwbM}TQ~g);;2mC}n0yj#a;-CfES6yv)ei-_K@
z-nM(nXrxZ1@43k47ZwsEZMa4|ny((rc_V=|#tDwgT0FeJcQxmeLYHtN<9$5s%rv2?
zz2(RTgO96cbRO>MHCY8=LUhpYl=bx
zZ+3UC`Fnk-7TyMsMO(!>>}K!1SOVlL9-e9{CnMupaL(2$ibTR1pyeDry=0g~wd0-N
zCvw?3<&BF`{?<$cpRTzWIlh8NWyKSTy>xbZxy@@<+Nzx&3l1aKp{5S;aoyjt?ux2FmPKmS{_BEkzE;Vc>
zp6$|=>DTSEn*M$XAe~Qd^P_I10J)Q+qa-lz{piOk8v9g&Bn&dg-PAi?FNix))F}WB
ztbDogtJNnwI&y9ukcsT>x}>5$n4=6lK8jm#AS}eB8eDjl9XV{62K2*uqHIWluhNQ-
zS+}XKmO?ke+q@8+>kb)o;8fENaa-6*v^erQ*D2dHX;{1!5d-L!qtwROR|0jWwuk^n
z<8GIupX7Mf(De8+xM#8nk*_(wX0+aR)8C(5L7;vbH~(3y@GRA7xnGM_ajDxyWf+qp
zC#0`&WjBm{`4sXwbYG}cNc^=@XFW+0sYLU@DDc--Fuli~6rH*#rxJwDVORSzFvB(e
z!_KGlTi?NeAAknutlJKZmeql0T-=0LU_|&$G-;Jmj^#k{Y|U0F^FLEWD6}k(fqEo(
ztd|OS>qMLlzqAiJi;HIFf36~kojtu?Mrg=1HO#0x2`D6Z>zOSz&=ob_FnEeQvMwDn
z(;+R)=>&V%#eJ|;+L@r;kn-(1M1TP8)%xy8ZID{Xc)m#SOt3S%cgTU{9*#Lm%dw>h
zH^~(H_%VW225^mFWo_+fc9OsQ8qK6gyPY}O#!TFh?oSD7Z0lf7yvj5lli5t>L?7I`
zE0VbtNHg!p!B2;h`c3Rrt>j4Ih`4C)Vpb=c7LJ742M8rkFV-9z
zd*X5rfM$Y!*C*x)xk!f>g$OeWO9o=Ge5x#1TxxVux(I?jh62)cPOo!vFCxg@Jg_vX
zI6EELJvE25R*F*|xAkG^gv^0u2Z0AI$?JmMYa@6x2qk0twjI^8t-9slhh+NwWFG7d
zwgO~ua1fi_YP0co;Qqe(m;x~|v3vgyAX(}oC12^}V0Q>cLCYjB-(A04@W{?p^=Gzv
z!AnB=sQH8tTS;+zXFI#vkPP|pkj~D|rtnzu0=*)WhD}Ou>(^}HgK2b(HSBniC9)-z
z!r*p!4F%?$8!haa*=^+DNZw5A%ek_3kK-yS4)AL&u!KqE9>Iz)oyJyhrc1L7c}OEB
z&Dw5ZoqfT9WKmDsFa_p%oIrf!`7wd)iS4NuTm~tQ_VTqO?YR%|0fV%k=iPq8_nhS~
znse1`v7@S*4=de^;^uiKXlHvIW$*C5E
zfoaz6lcX=TUvQ(p=THTfe!AqV8-oXMoVu+%q)j13rNO=v`#q^Pew3cMdzScp3)TH>lonY_F!%&XoSyom?pLytt+koBLDNk}
z9809vb!9rQ$9)y)2ko$RSK+8!9fuwBq(y#(l-OQLexgZIpIZyo6JxNN#x!lle9$~g
zXl*|OBUS&(QS1^To3#HjEfY_ilQDm@cmBSItIJOy9mhUuH#B}|YH3*}m8rPhwUuIR
zsBoZ#QPa}8#4GpBs?#F>V55^fu#}O-rH+oOIy}jLJ!`O@4h5Vxi8Aj?x&!&>Z*3@R
z4rWTF{D`MSwC2SVAEbC^ke_Q?pGpRKK1OeU2!}>KZ_vK%A;XM|n1QK>#W=RNEm^Xw
z+|vZtN2yxq1NhCNW5ob~1OQ+3fCBQu1(#m1HLJ|=ic&(dQ%arThx8K1VWpV5Auyx8
zSs)?_Ed3`bncO8n=c;x#wjzfH*e*3b4Rc~*0*pKC;`j9fsoqBi&-$Dk5u}W>yNN>$
z3J>@VAyi%x$ejYN3JTwY;G
zuUN==gen#9KPtf?qMZ2*9m%0&(|$J9)>1$
z<@Bqr-+Xl$;x;%ySlYsd;(6K9tIo)4{kQ2R1m3W)AA8XQdYBan*O8+{{VsdF8K?+1
zRp;V_v`pgrO&c1<16tcfaAm82e@cLy*!-My5UY8BiTY@lX7o
zgLbvC_bX^)EE#7?bupeVb-#)=PgbY1KURVGcnEWWALnw3#z6H`?`7}=~s^f@FsP=&QXWEie`!7g7bxRN()K)m9n)cl$
z)~;njJWnAyqe5%DaRT5ObmOhFFf(Uv`B@{pO8c#E{1`%DDVq}HE&9^Ych%uR
z%-mejt9_ocC%UA=H734Wnjpj=>RC**8Mf1ghK3?Qsd3#<6xV4QuNzHXRA7}(Z-)&n
z%!ivx!;dFv2S^!wlvZ;PC_?Qmeone-H!07J2!y|Tn_Fo2gSthqQ%Jl(V510_sJto^
zXV<#bp+Xe)r-%dpV}U6|(Lx0+j>u_>{gJs}+gyV6=1A#HsYIgO?^56NdL+ff=5bI+
z6x$~+n{X*RlUqYi`sFEt!hj%G^i~Sweg>N}Bi9Jf=a;aQ79xQundK9~52-t#Bv(>W
zD&%R#<{KCsoQUz5-a+-)6*3gc-kbqzyFu=DN-(7DAcvz6n$FXmj*gDi)!)=|XL2)0
zp2`xR#|cT!E3kVVwCfw4PISfwBR@CY?wml5Pu}ipoXJi3P`&cqm=ExOod7vFImug_
zKtKI`R$WvS(u2pSzvJN__-o*Ss}3DEP9(}+DF8Jd>@=w8k<;-rKm#y2MTht#w@u%a
zL70e?>$`q8`2`Grsg~5XrH8ee6PLMI$Dp!@cK@`BKpe&UI2K1$(yuFGFei~%y1N`6
z=^5XkQLM2Y0g{&Mbit1R%}L;E9sMeK;sWoW#aLfjb>cwZ6zM({
zN@en%b$tSdk)5$yyVTZqIMrdd<$~&3@N?MDe<>d4avP5
z;H1tBOA@_AyP}&x1m)YG7j9+hKJ5e6YhN6j^7h?f&0A_@s6xCB!%v4g)o$V)hua(}
z4f)3$QWP_m`5-yYTvWH4<1Iu?36r{O%|B=8ORp|cPuv6eTatUUqiIT;&Ji$#vW>gc
zwF@y)g{oIg(3AxrY3s%G?e@+1i9-Z{iMF8)iJRjk#GxO>>k$vz75=UA3yo3TSWT36
z4RIkA6^)I_{DOYtw(4?mThX%aLhrrSBWC}^zEAC+${>9ug5jbWGmwdJjuEnB8{Xe&
z{*&J)m7UIuEOStMJRxX@Y|-?o*w#U+@QqW!LGXm($p=Z)nHaHx&sdM9Da1}urS3^X
z54ZMG<|bQv(WTATNw=m((E_@V^8|^UvoI9pV5glEde1Y&8O1*KWoMz3UH9{T@}j~*
zXOq)8rNhxtFNhr@EvD%F`qhl?j$YHzLT!wmp7BuYP4kJz7PW4{BQIqfcBOup=q-vq@1wWzfMdiL=P37l1p33c{
zShE=q4J5^y-`6d-$RtMA?rj_NAD^GwLRxIkT~;T$J6F%qN>N(d6$K_+Hu0&yOOvv(
zu&8NAQAxF0zc3uh$v1zXHXQ1E9$zKKz8+owVXd|Cr~3Y|ax{3~9Ns1g_>_n7WVz
zyfbSwXaP_k&l`=Dv=(XI#W6Fg3_oCucMp};R47Oz-E>uBMom0IFA1LGUy`&N}Zk4%@emDxegAV>>7TZeYniyr!^LAAPn1qkBSi!740JbF*7qW
zaZ)7xg*(~`4<8>RU0q1gO(1};G3~r$uQc-71>XKPIFbsD_uEMSx{ui|;Fx)o$Dly(
zyyoV~SKYValAQ1CJ!ACIipg7e`0lgt#m3C-A1rOk4zfPsVD?Ra{9xEm(dJe9fH_=O
zA-<4sE779!bNOifC_HfT+iWcD;FPzvg&?d8VUpy`k>3inX9WaX*CikiYIx6Fut=+W
zrX$`=R55=GqjW72lC2WAzivKO#UGY?|7~^bLR*7*p6AC4aKd(h^HKGTY#PrVFCPQL
zs%t^H6!6~tpp*Y;fT+yxS<$TxTpBzCOLn9q6MYt+oS(diZozUH?|+Y
z$-5t4h$o2aJb>cwcpy%1r_via&_%=75{0_f8-Y&_x*hBd!JyXwjm8wp%?Prf
zAYW&*-hH;i@;^hSQ>_0sV4<&1WT*;dhtV*mjEu@RP(4rK&PF4=9yg|8xhtAVO2TL`
z5FIe(Akta#=CJ0JQ#icnVguvVS0vGnkBzMl+~#6&d|7zsFT|aCY~jk|Hha#Jf5MiA
ziv&N6`v`gR9yI_hQtBA7@*Ps~YnG~^z0)ZF%U91c{OEEW2@AarwprMo1)U|N#3j}G
zKSa+jN)W*L{QZJ04?o;HQa>@#>gMm5ho8Q^sG80tO=Bq2*3v;qxGhnMF
zkwzs!?9TDMEHXn+U#DbK`i`#?gh(#kN@Ph3J|noogw(1|nj}Qtf5Zq2g0ov~OxsHs
z4aeoaW!vA|GgD+xSh-y{K*#LVjk(=U2GP;c89zP!pzhj;;FpDL^3~hzpm1*9UmYaU
z3x{{>H##0=dfiQg_br?>-{^et(0714wjSUKDZx}r_=Zt`50{8xY?ig}w*lp&VIo^o
zIPFBWitJBU+Yd+HmGbVwBlXW!K_oiX<*mtGG7uB
zksi0Iz%y~W8zl@1u*^*&RLMyY5fPuBp4N-E0{AX7S|0~nhXUB!VPMXY4-4PI7{a$`
zc$Ydl9HBtv9~s`jMhvO1=WLO@GQypK+-tcW=J7vK1}WP-P9ue^D5+h2^LOPtw%)%^yyah(^QF89
z|5BjO{8xbr^HK-}hu&}GE
zQ$!eonU1J~o+RhN@}3N(HMr`Y$skT<880@{ys8Yx-mZSNJRA8y80?F=kqIi^Ug5(N
z`UWFz501q-msv^b!2z~7dF>Z`+b?4N~$PfIuobkz#v62J!1H-&C
zSBZOOu^a!h#NO>NdLg!W*iua`nGGvHYfcUzukrT6%E@`~159dGO+=^0dxliqOE%F$spBGht3l{o(QU!4Q*xT59wgf2Uqr7L1(g&w_DD%yd7Y
z%cvZcEiyZR?|p;TPVoq@kz);V4aVkN@QM@@*3$$3^96sct*tW4tTQ@OEk}~*G(v`L
zWNnFQ;+DXufC~LpEyhFkqZ2wk
ziJE+h|$Q|5q8b02Oi@1cBvul}A96_`peSV@vQ
zA}M~{_?b*c6ErlX#D-NbY&JW22wUo0YrtyKcVA(c`*Fwt;;B0Ky(TfvGBQE!>QWV}
zkweL=SjWKOd;J5L_7v;HXOh-bZ;^}RuxAS|kE6WrWTq(`;fPlJV?Pf$7PiEz1B6oV6Go7yJa;%&g>+=zU
zN~))x^Xo50h4S$nRv7}r7$m5wW{aWVKvf^)WAVcRLQ6?tp)`WcN%?Wo?}xFD!&u%;
zg|MsmFh9m``==S#1B43^I$?!zz9SQG!Xa==WI~2VNiF%XVZt7p>b{Bty
z3>jUq=3Z@GA@ATg)wEBAk`Ls{hK)>_GaCgR3#)Up+AYzX{I-k28dQ3}gosf4mDAVM
zFF(AxC}*#Pj5Gf*=LfaT1Pj@Bvw-X|(s<{4y-Ad;eYOlLR+h}G8ndIkUX8<2UQtP0
z&5f1zpYC)82Jd{}c!&oH=bNd^;2xG5RWpH%Th8wGV51*`dD^pIaRLj+Uny
z{=~*1dxXfhSM^#nAd{aUvD!qa?6Jic{_!TeF7G-@U)>I&L#^PoG6n~pf8*GnpB}UP
zbs%?zUt;$DFykJX@EB8c{Bf+PrA@uHpQOm|Prt-+0xllzMCd|a$^gSt0ndtEgZO=sVWVL6p&%W06XL{Fcg@upWO=
z1D~GgFIbTSz0tcU(n5HKE{j82A4?Fz3--$=`YC5D#QJ6_4!F1R4$DJ?UZE{G)pVpW
z${$jFAp3I#W7bvNb?4;xM2?QBm^mdP5sm@
zWj`?VEWP1AMsRESnng?i^N66HKgU
z5WJT5a@CfIySmqPeJ>Re94;u`Z@?pdWF;0|n!ed@t{(UXiJJXm9N!kG?6Jl-)lw+=
zRgjFgVUeKPa#$JX2C8ze_u)6H5r3S8YL~eW*%$Z)6!x<+W+U60o>9bpL!~VmiQQjR
z_C_LQIqGvpDpl32<0nF`6u;Q1$CPt7uQ-A`s5~r%Q$LzTZS{l?t70iVFahBX2B$4p
z&c4};Xo56F8u^CFvkQYZQzYb@*A89ciq5X>*O|(?Y~7Xz+U<8bp>6esIo?j8n4$
zpNXiGw-ST=Tu|O#jn{P?wNC{FR*f072!%|c!i`I6$EwaaV7eC;6foP|nZ^$Cm-&dC
z%gIExk1L<8%91kc%uTp+Ti*^&%#fJy8;(Us3#4zk+-uZeCRicm|GXb})Md5H0P*?l
zE%Vg{rAZ`tOGg&Af9KZY9>mylGx@uoI#(w9MklJQlGZ<
z?n29`(GiW#9&tYfLy-?nL(Tw$;Mg%27AH3{+LDR;mpqqY9^Z*3S!>zAhUonH;Vlvn
zm559)Pt71#w}=s-VHR_jLM&V#UtaYOd4N3^(x7Z#zc!$EWgEZ7fLE2`>5Cy7RI)NM
zU*a&&BaIUy{W8m3ZF~m_^eZ-5Qn|{H)`#|r%w*nkZMwPX1?dCu;u5y01%}c1$Cfym
zo#n^vH3%i;Hx)oC^}fnlnmI${1|i~kJDzI2fbHa98n$!5u#YPsMG|q3f?ZX=!eibL$Cdqq=R_kw3B8=r6O^PA9
zEu6@f`G*RzQVE@uaRU|W!hy64a;^O>UwX@jywg+!esU~-XR=_dUc)k%W-OHg>H?;<
z*$1z>Qgp*6!>@EjB<^z)WFoMbmd2CUfQ4TKC1W-js@bsT6<(oV4il!LbY|;CYh>k$
zqEhk!HlC8MM!!ykjqcTdrN$SWCJGCFQSUc2IB%x(vPONcYr?9W!uM8~p2)?L77GLi
z_SZEe!5o(v{Kp^Pyy7AaQ^qtxlNSST?qe;`hlh`tl8%;-<|#hS%NuArMG~6#zRm3I
zxvVL)I4M?A|GK2DAj8Bg<7XGk-@=(ab$JgWPz*1RB}LZO{oCcyCz|6F;5WImjqtir
zAsYWBN{C(IJY$pz?X?N8W){amX3%ariFRCY`kc{`Oc#YxW`tqJKP**NqtYi$LNQl<
zXwv{Apvsy%ZbB-~k!+vKHEsjyGLA|7vcf`#e8*W8d*7l#q|Idfd@M3mEXTE;DYvl1
zmb>mTX(r^u&r>N-hX{vr^X`$f57~1wjdT-87h-x6NW_LM=FG*aU)8J#-h6;A(C^jR
z)$rPsYGa-`yAQzIx35bq<#pS7GFkhtb4R+itZI(WtYdiD&D~EVtc1T07~j=zE3oPP
zvM5YBYF@M~qGXg4v-QG_R4uGxR+t_`F6b`Es4%dhW5~@Fck3nA(C1>4|HzbOOr1;>
z(|#=l9GFgH+nXptx3mn~mab$Ef*b|1=#~c!@7UdQQPCa2MQNoPPgI&(yNzo&5#DJ`
z?1!Q!#~b8(FV_S+?hLg|f@~|*>nggOEAnqKq0&$2Mce+HrMe`_Yix76Qf;GXdM9)=PzjR{!)Oiq*ea1ga69_^`Ef!
z|6zdo|7Wi@jSt}lsc~ch4?E}iU+kU&5*1Pn@C@P{&r5MBzs*jUYAtzs*Jy4$Q2}JI
zGl<6uwq15Tq49Wc8T;Hd;X!GEp%UH_=SKAv`ekcINR5O6Mq)YoRkaNZ6U>`#c{eN1
zs7ZTWvIb!0(nCisER6RREzXW2vvgoJaz(N+C`&09^CQ0#QZRna>s*M`(ruELLtW)X
zS)}+-51~|?E=3&iOjua2#`;L0zdg@+IkWQK!MiLtwG>i#Zn&0_-O|ZB(Z1Z3OKNT>
z*+(IZ&)o1iCu86IByAVMFNfYNKPJJrmXV-ZoJvoL&{X4P^TR3bfYOVA=v>{oz(vDn!t1mQ
zNA7?O$HarNZ@{o5tFwTD29I8@Zu-OHjHVdpW6tFYpNC|xn~TM#6ih)bSeWT3YnIqV
zzCLa^p*;UC@z1S0=?L787vDPP;%}j$d@QbWnHWl1EAB3qMUk~Iamuw!SZKvh7h`F5
zEGz($(GZ=llick146?=d*sc$EYW(*5r+RGCSQU(YcdnYu5gJ~*J8Jv7y_e18NPcfM
z8oMN^elE-~!s`dLvQDLTxs67lAMJsl{#Ufsa8K*gB;m2=I!Rb15Duno{!4h02b{xW
zxbCm1lkwi61?ypj+}DDImBBSx+hJ;>z4r?!X6KKV%^hCLQdVs|hdI<@0_^iPuR1+d#jyiVS--vUBuFE_Tjq_Gdd+|Djrwu8UU0TaAU=D*6-7YrwXg`ro2F
zMI!Hl6fYi+J&nIt=7K+#yoXUU=}-tHz*HdGIk~m?K#8?m4GyR7Wz5A6J8M_-`mD_a
zJ4{co5qNgG8iEI78(O`Vs;hwJ1Nxy9@n$7#$h!JYX*x|~kiX7&RlIL720wGSG?&YyLxTt=QJa)(oYI>MV*)x#!0-&4^_r
zqQk2pLy)jE7uxP2gf&ol)Tt=R~rVN^%4-rg5Gm0pfWa
zL(NASSv~YaVz*P+J~7S#SV`A!pGIJIK~M@2e^vW$bo(!rXNdZbh4q#vSpOf%zkjXd
z|BVBD;V)mxKa}COFLMMCMs9Azh`(xKDE|S`-trvFDo>DylTPBlZhS)^`kSKsSCIc5
zrwB8`-g|qB@qA^BRqyqTitiILgS2<`LlE8rYG+`|zIFW%1f}7?^M>cCV{E~Y0N_FYX>_w&1!3G+C>OKK(a{X#K-(7c`?~ro6KsDmUg@ywo{%bm9b`}<-ynM#nA9rVn6I<{NA=T@jK22HA?2rFpw#n3(L=NDB
zFC1mT=wvP`O`}6z7@k-}3h+jM^HD64veBtKx{<9Nl>j-o2sKtNPkM}x->Zb@Y!c$X
zCT09uk5Hr`szB20whO6JeBCgub0jhmGxK+rYiJLjW>g-6ON~GtmdnB`UPun^;)L8O
z**iePagogdHE{_w6LBomxwG;wF?i_lNQz4-5)!KJ+5V_qR`jZ)0_N~fvX{u*;6_g|
z<}b`*x|}Pp)aqJ;mW?#a3qWVWU!C_jK-!B(RaHkPf75Yxbo6a|ExW3lW4@-
zAU8^N;49YM#1-Pvv>6s-q-<&=z#+D?1{GKLJ!Y9|Vq|x^ZVgQN)fCktj@e$WJ<5mY
z%BJAA{*ICiB|Rj*n5i0H*PrrUv?;k-e7&)!yi+inmXFl;N|ZQQacD@fL(@c**jI
z02qcg;emnXN@tQ3qT)gY$GdOQJUyRx9ea(dFBBnv=NGH0<0+%dXdGz72#Rk@t_0<9
zDav8@=G9{q-b`S|6PaWz`ajhptuvu&akP1G+Z?yOS%TB@yl!S0(QLiK2}zXDluuh!
znX@aI;hMeGU3A~p0@ka_%D7~5>DPWt-5U_wJKg{Esj%iL2
zyojl-IgvmjVT&h4gLA|CMI*fj!<1>NS;59ApZtL+T(fbvZ#ngFWj+<&fE)f6eq%wV
zp)VMt5!
zl+F*v65+KVVezFFe%tT32$)IQzI1Ql2|
zm>rt9DmcAO6j@0)FU_INmp;y?iOKkR8uZ6fkkx2+JD%0Ii%q07P^*B2m%d2-J9(6&
z$n*4?`YwctuhJ7F$Ku=Ex0z6rS(|66Na9oiU{c?3z7Px1OdGS(_Q*DU&;+ISzNidFe3{;2M>r<8D
z@h{5cCeLzRJmDqNL=MRmBS|vKs!Z_1wADEjfg~pIrsF*?j?u^6jTvl9YYdMC
z>gVF_PusE{FOFION*?EHj(htpxNz0+Nli8)x93OQ2iu?ThA(IqWTsG;j}x0H12rz!
z1ij^C(*Hm$;ckP%^A*30Z7{vdkR)c$_fg|%@q@C~a}v$MN7ifU7+_8}d9aj(@VHpk
zI8E{R(BStCboBM4i4d&@KAe~$gNwagQMaZ^#2O(Zy|d}IFY+vE2j--<=N6Xch#N!b
z`y$j49T(#$WCtWav=tP(+~@TaC4#2Z3mm@2WYz&aqQ|y>UG#i&s|2DE(*^c%J0<*-
z(@&~!QGPzTYJ?vu*r)l)*K~hcuxFEtX5eUHaXSv9d!8@8nRGZ_9gv&!8oQNcNc7?T
zGj}tUT=nd`xRMN1T-Ea8D{=A=aBfdQuCkN1aCn|pobiOd#hZ8&V#(WaT<|n5b;M>v
z$)#_XMT{$!KX;}D_$)Cc1>gBhkK2(ookR9N;i=z
z$($n>7kDKnG!;N7%LUH+@-Fe5Y)eH$=yt)DMK7jI)~JP`p!Tq1ydmZIS|vV~!_<3X
z;o75P**~r1*u8oUD-V6)CopvE^M!LW=x%pK@pvoQ$jh!AYqnW1%sAOlG<{wz;0loI
z#_%+##hHB7Ta78<{OUBzEx|4Rlg9{Lf^~eb5yEXY)L^YQ8~JYiEdZiSRLU$Ee_WAO
zDpwBMW=5)HKcEtNfBx-Chd{+m9s9G|QE16V>iv4p`gWcaZ=>_!7iH2Jo2taUS<@x5
zY-VEa#Thn-(m>UMOP*;a)gvv9)5O>;Fyq2n$#n+b8*@j=
zo*hA!3W>SMhf_%_)4??-;^s5Df1nw+OerY`nPvTC8{Q!Tf
zqy$+boziTi8Y^IK)4ZC}u5idf%D!wzQ6=E1tZ$WPF8@rwgP9ebO%pIOQqSPQF==1^
zRmyatbNli)vE7_&$GaTvYRMJ*0{txt^|_b|#H-Y>3HEAxdu21;Pvo;F%-4orY`TNo
z2!E};x*#DwIg25YcO5E0z{RBxV^5E){!LV`pzJfn_yqy!83&7r4O-J}$#+UVh3dvZ<(7@`n
z(Tc`#^QfOYEzr-S)V-RXArFNYkoDGOY2urc=QV?`pI>0qD^ih#=(9#k7k+_IJ|ySB
zjZNpPAXWyRvVgGcG#&1chpRaM1J6oWuJ?VU&7yb#aVeQc(`JjX7^`9#{
z{P5;Og2Feo|0XLPY0v@w=MRbpIKuyRYWlxMr{2|J8`@K#rn9#^f9JWgInp-%#;e{4
z|L>>;4t$tnp$pSOZ*x}p;
zb{SMN$w?k5SNRb36hIvj;a_`a{j8;0IC7AbgEXU+=dA?OC&XqL?+ye&mA&S%bF6k`
zXYz203ga~tGp%1}^8Ir5$N-sXPhrmp-m_fm9D_d!3q7nww^!1hT}`-{H_*?lPU{`?
zgb0oBy@Kf@W(wt?qo+Nu=DTVD4)hxw~fz|o?Yq%51ho53`@YK=@kr6tu|*My`Jm3#^{4*2q`
zX-X;@>Uo#q1<(5jZX>-p`C|m5@=k3*iEG`oisDI>01>8dw`&a9WT6Wp;p%yN
zdp%rF9W&?CQQRw2?P`j0X+_71FbLut%brU3Rp8C}m&Y~qOV$Q5D2DL(RQe2ug-h?@N=K~})_wL~j9yc&W^>!|A+?-?G@5GKj&5ga
z4l--9#qX_suz4$!-nFR^?c}D@Y(u*0&IiB4qpL!vMoMD2Z^Z|k*D#fr(bQ;KcD$AW6IiEjOEIU!YUGE2He
zx2Dne-XJeV3Eh%$qcr$_zRshm{HFK}(6m)w6O}t*K)Yn|9rQx+DjAH}Oy8yqK`ahg
z$pjo^7#hEkQ*@>;CD1RL&3!q937P;p-^>+f&!jQM~vm={enVl{te)0j!BOtosV&t<x}*1%OGNfQ7KRM;^YNr=(nN8PpPj5
z^k;aBm(0V_R?JgUqmfY^767o``XcZb9T^66(c_R8c>b=_=*<&S!<7bO163DtSZ$C*
ze@FUerD)cMo(^$4Rg0OC5R*t_Pzl4G
zuWs^4cJYU$Ven)?qyGHe8wbAgnq}pu)gwG9LdND@(CFV#?v>}iP|jZXaJdF9p51{s
zD?S8BsMKNQYb`E$(gs#nz`E*3Bn)QM=aE(~Q_xT_f2Yu~-9kzF0AyV(WYAJ2&u-uWb#$@M-H1|YgVd`&WKOs6
zjbRB(DPYvqPVPSZNjUvoT5Hpt9V3f8-^N7l4M4?W!4hX>KJE`0#<=Oh!iEzYZzV7$
z&g-B>IKgAyzc+a35!k(fhH@PC-tldb^op$wZ7~|nA@iiw(cA9}3MKrPC(#ma3qM!-
ze{=}WUJq=O9r>9s@#>uve?71u7qN}i{Ed3*it-eo?hN#|PuGjH;p65NTsp!cRJqFye
zBk-HVpaW_E2Hl~|FQp-xXF4VCwDiW*#mCXk37)xv4>
zM2QaUrxMCplY%>m!p^F49!40RABBgOL{%B!&>9oRm;=o`TbyiJc@X>5M;AkrdR!R_
zl14d|kywoI1HW(djT-SN(MC&6fxyY=wS#4D&3<4OInH~n?!41)S{mFUBB8c-d+3(U
zmgq;7=V}YzlM|CFii51aRq?HsGmq1MP&s(rg99}j1JNe-%7A}km;Z~kw~mTqUAMhSNJ0`U
zxI=Jv3!b3C-5Pgo+&u($clXBKB|vc3#@*drZj-h4zUQp5&l%siR-ryZ3*ixd_XN`(dYbW1DYVI^Sj
z6~9sKPpM=a)RHxW{j`PE-T%ecK4sY25vQ2;`qq^$^-0*|Y)Q6gDM^*_>p{9%4?7N%
zcxz2jZGnW^)9Q}e_QWtm9D-aYiT-u%yPuyK{_$J*$(k&7574XG0Hu$j4vV$;UTZIz
zj-H;t!+Hg@x3$)B^kIsetk9ZgM$*+p#cU_>%d7Na8ONZ7Op`LC0baliZq(8T&)u*CMJK~k$
zb=Ps@y}@vcCHCnG!)$B4q`x(~lI3ep{w%h2)Hz&UfF)s@atId_re>nCod5%q(+*7)
zMb<5ctHYJ1D)au9$U
z*#(2}M^b6ol}}h!${!pjR1QCc!uhTrvR{7N?-xs~vu+~8LsD*3FaN0C(D?a76&hSU
zI@5UQW{I>ShB6GL$fL0O9CPM`{G4OJBEM?os`#C|BVlfAyw-#=Ds4{Q0HOj$c)A_g
zN#b&(Vd-+&VJ8X?e2zCw%M?VOOYyjQk>_Yec3ZZi$6Qngsq5S;
zwWHF;98X?wKhbzt5-NLoW;TF>V?u$y(_Pb_I>eDmT~$aylE7Fe0GV}pZ(h?T;3UI>
z_|URcP7Bv!Mymx-gFqpBU}I8kxD~o4Y~Yo%N}?EjA)QFfEp-%uj_p*}hleGlXjbLO
zt1=$PGnVmtyKX1lf_B8b`953Oawi)*U4H$gG7I_Xahe}?cs=1CHaFy=Bt8_){y6Zq
zL1b*&;apa4WMQuSOWkOlKCU{T`N_Lh^7-m#Ab8e#7qukq90mn6--LWXecT5CuAOsB
zk*ChU>*SB)`##pAE4^Whi6!{bBm6ze%iSG=!8@HX%`I0Ywt?J($BG}
zjEk1)^Hz@MBVCh&6OAyBXYm~BI?err4nnAsWp7pMKV=Cn8&Nex|c*ZxyLEUGba{&z4hBVr<|Gsa1_2E}7y_&ByOH!v`xRYv%Jg+C^OG
zEL-q=SH4G1&uaPBKuS<~&dZlL{@tDw|7O*AubHsc0Uy_WzuDugy@jhr6kOQ)@3M~i
z8P%ciKz26VOh?Ern>WTD2YPJ+-W@N#TePH4%0TwF55rCu@@Av1`O@;Jbs(rKCT=F3
z!ZXqrSAN3nlXGFsgN(>jxd+#khH-xX0%m)tsIrHikzq6wnuxZ83zdRh-IY3;-!b}+`6J8T`bMMGNbOrh=Xc0%
zP3IQfJHSl>i0hDaXPY*kDtQ8_7%{UKe^1AC2ro@17ZNlt>QNHro#O^V3OFD35&AbV
z4AGU7tAEvgNt}IuNn(;N1u3QqL
zT|MVD%AqiwaxRu8P<&k)7mD?DsI{%pxnxY#V-2>493~xTu@EQ1KRMa^FzPBAE{Ru*
zXH`L=p{yq7_g-=J*29e{yI78zq{o8d+4nC&>yBf!8?C@9ZV6;vF$7fXpxR+<0-9F&
zPY!E`rHWR|}P{JHDs4TWh+Bymo_%bF0yN&~xJJ>)>iZc8o}t09+@rL9ZdW)KLtM
zzA7an-ly?$^Y>QLDU}nQ@bp{1T`KV2Q^HHFaf$91Xw>wJ!|Dv3$Dj>)tyu|FRkBt+
zBt%-tFH{E6sAEfsoBB}6sy^PD+vB`N9DICkGN`F7Bp+5XZM(IcSk=?n+`IfJc_bQ1#3A
z_Py>UxujxE>SVe4>^i+3IG2Ecjg9JKHeVF$=C=McKfT~VC;iQbjmw@Z(s#&Ps=}i}
z>hZM@InJ;|{CxQn)ETt1npOiu6SV9|$*RHUG_JWcY{_itS#mlsXcHJF(T2etW1MIR~l~F@PL(=Gm6PCOpcAEsXnW`d6;UvqMJ1CL#!m*6Bff
zv$tn98Z_O=a~D>f6WwPv?uU&H<)BO>{zn|G$Od9aE%~CzJ8()eA|cRI%7%S
z6;(X#bLLs~{iWz8th(jXYNB3I?Lb9;3aKeKOL$5)@hF`ccGQa!8{6F$v`C;k?!S#C
zA^D%SwhAbM(gIPCTDFU;bBMZv^1^*flC%ONi_(SbWa|e$YHYSnpY6-eZ4$*XrMEhh
z+-gb)zJKiu~R>pb!r@F!pZ+-R;|2AQe
zx^VsDr>kDL@60fq6)mdGDC=Co+pmU;@9?C~V6PyW+Xp8S7RW3okdo1%7lS};Fil7y
zln{2KaDK;ji9WP5yVe3%n$+rp@GB&dPjR@{ukJqt%!qlL>4d^7JoqAW-ZtH%7tdOB
z+KBOlg1Gax*Q!+jhFeZ9QSV5e75+CtwTj%|6P#I=1+TAFr>SEoTi>8AQl?X?pQl!Nwnj{(BVxn4i_ZOYXlCa$FeY#t%C&dQtlz!-0z2iRUH|
z!UplU>YFb?rjpd9yfPMe=wUGHX&aCLQ-l!PueVTMQ@NSn_6rJi(+_%%AjJzuJ|4$!
zMA#k;h99$F#{wz?-fp9ZajV-Owq5ELYh#dE7$Xc$a3MWNRQ!9T0x0-P3C<3mf+6O%
z&5Jx*u9Wa%6_~Lryo~k>dO#J!cT3|pTCFT#^+MuPDjX2u74l)Bp!k1)O#l4x4~za^
zv%&o*neyfR|L6s(3|No-`QIc|O^*LxBvdNI5&{UMeXtewxO(Mf2HEJZ!~d&+KQlNq
zR8nN~>d%HRBQ-u-L8b`WPH-|Wt~#@NPPx$`?Umb#3DtQD0yMD&Y!FSehJ`n_q_kXp
zl((2JO3wx4C^~ctG2f@^x3TeKRhD*O8`YFm77W!V4W${d=@Uo)sT53(ubN%fKUxH4
z{F<3lR8z>KeYUzNIXBsst)^`-vW?86rPZ`-a+!Ywns0yAC4T-AEoM)vFLwlJneLV%
z&!?iI@{@Xr-3MYgX#5dk8@+?i&bL*YrjyZ@*m#Wx+^SoI-og*8M&K74S
z&Qu^?XOgKD?Lh9*-{bwbE5`a;JP^XOr;hWG|S+S4Jyfq%{FNv8hDjh`|a_h
zVs;~fW(1@Uk&KB~70&7tb#fD}$~^?rWTd&|veNBpNr%mGK-&ftf|7YGvH#{3n0b~7
zecGs3QldK5p||%LrQMku8?7|~f2+;C8hK8bVlEnm3?nEO(KYdt@01&UI25WA+8bim
zB!~@9s~RY4PVzINTzDziDSB#2Cop66-!}eBKrLY%?ozYfr>>s$e`Tl4t
zBJNhIn~Ru>k)2gHQ2JRBLk!aJV>>5>VsupevnFt)s5NTv
z!axrjsTenk642830yML|*mSw>X+z@x+JcelN|Sj+GPycOQZ|f5fN5IuE)Ivdn@8|d
z;Ms!Hwa6Xn;gLoK1b5^!>5b=ipa%{weOpP1A3y{;ge{3`IOy9U>%4~09X0Ln?#$**`+vFjW>~v9TKjdajoqR5xihis;#O*
zF_?P~>cXaFl~+%jw~jV+N?E+MeiS!V)l}CW602?TYonEtj9KPwxsGMyW%B%n+pM
zvQOmh&A(iu9jOUrA>Blu&CbuJAx5f_1aKJ$Jz#&M2nIDRVbjgg)#d1Tsd3b5;S$pa
zaSTk%v|b8r$@x074qGKRw{*;W8k5?$12Jb$6Xm6kkP^@*dxpukfuY@D2@A^{gM;o8
z&_^?LxXAmI$6(M%?H;=XIQkvJ7W}g9c1=lPxiC`!fpX(9VL#=D!wF
zf0wr-%w-l>B$|%3B6(YGaC)f#jxsE1!e(!6bX~oiyd~AUI1JjIur;SU?*4-)$K@nk
z1gLLZs!S_V`}~Uq*qelFN&zjF+|9Py+ly&qb=4XbBVEG^wQaGcnhg3uAjpuJ
z==8_W4F3_sm)Hbn{)#AYnq>Sdq40STG5*39zd4s+mB^%1w>JQ^ACa~2)3t=RtW15O
zX-eyoiL1=waPIn7xIVJH+)-om^o`e53Znv^nM4w2CoHT`%x@nDD$ppJp16kIy^vC@
zYDrFM&KfE#$FS6C=9RIU5DLNi?^AOAEmrHHklzVEwTYRN{n%Y`w;-~%Bg1w~wfTjz
zOkBXcXf@^b_Y%eOpaD||bEYeXRsMF#)$!uz5VOlhE4IC3v%!!{R7P=3SqE$Cn4j?E
z3$J|yF%yG{@?fhHK9B207L_@|mK>;j4NscraFEJRB93%yZkq;d>{!S2bI4U)uB?Du
zbVBtE$ffoBgn@LX(lY7Cz|UQ1zf*|!`8|du_R%XGeD%h*4%-@ZLNd%3r^c_`5fheq
zthB?C_OxF`)j^-1ailBsO7>QDtWVRTZ@a3f-3>L-d^PT_zA_chllwd7p!6(y+1GRS
zH+Gqh6SghY>KU?+RGG6Y@;Np2$k|Bn<(joMFO;~}Eojw}%aXn$1MQ$8?w1~#g+2oE
z=Pl%OKg|X-3;9{}G2ewYz69%ukwgio#llP-KL3C>IGENPLwAO6WBgdDDlXRd1c2wG
zgo~fFn1T-wkIg2V2%S9#V#DLK`!Q^PcL4yEOc~jea`(8<@@e|iJvs3=+OD16NUu`(
z+A6RqRPz|&O$(9V?;=&{>tUCw^geDTrZIyZe#>@Em+~O0V@jTm*sG*)bKu)bJ
z6(28kOe}4kD9Uf{E?f8A-A7k<$|!C#`z^hEfBkH4R%y&SX+-w^B$Rz?E@3(Jl;1kZ
z
z0Bx^JX&vO}afIqThE;%u`;!pKp0Sv13=Nh$J(W!+xMjxdXL9sh+%yrh62`JRYRt+D
z+{xZNScWgpUWBx?xytYJR)q@*${ziNdz%YDvpc}KMf@lZT8D~JQ)_;A
zy$B*{G`3nnez-faK=(pXeMvlo-INxKm>mx=4Ng(r@8PQ^IMY+{YlmY-HT_1QO9`W7
zRHvCdl_(z(U+gj+d4nw}wAyk7*|?VUuB9^kJ}A&--$qPPCToplb{5l!YgqNmz&M3X
zqRAN<$^~DbR8H50D!mL1c2SHwJ$i%fgZUSrce$$kdI!LL&UngI%`6>D|Rl0v@bx
zG#%HbgO5>~XC7#x`{XTkFgL?@Uo5EIEh=+%t^Tm^|u$$Yv_A(CTK?
z=yp>C4sNxh1g;3vy2=9EZ&YGz1Oh3N?4wx=Ol*|&CaB_uU_EB>-D?8d))pJ
zzV*UIaR`OH0rF7U{tt0rZApe{tTW%{{SHW6qt~WiRZYZRR0`hYMyR_Gbvq4Ad2weuG}QYBO+aT
znFa4ke?l$Jyz*qNIeu-e$-t?~e!0o1^x}eVemY9hVJ6lYDT}E2F>(R1x*1lUp~2u=XE9Wbo53
zHpXdQKn6d5M9l*JtQ?}FHKMOOIY{uZOJ@;St9;iF8N-bivXlAL7%3@=sM&fDs?yzA;PqIie*oN3N_dP>C%$IHpi{w%5nbGFfGjQc55y3z~{raWA3YGDxVD|`E%mSui
zg8)ej#LX`g38_mtOf4}llrS~7X)KY&S)B_HLp1eIzQMR^wpSnYH_#VhP?f3jV6fO3
zgg}c^A!MZMe?k9x1!Wchhf4692nyQo$2zazg&a|+
zF9#Hb`Al@{P;O{Y=%mgDc~&Uo`M>kym2dvv?5lrFRnbd?^PA7m$Y}MiAo%C5)Bg7B
zWlsY9zpOF2f5GuT{_THY;eUB$D{fHrh@PifmK~~QelLM3lN_p1-Uv;Dm!+;iqS=sN
zkjHiQ8|Z`ED0Vx0!#r;=zN(Co))d=2a`GZ8JtY&A#ovNhJX{@IqPBbAYA
zO{R4;t*xVV3SJ0wb8!n*4FS9hFV%b?0*sfPz6&JK+uZDS)Ab|2FgX~uiSET18_RN-
z(8Qj`b|I50R!g6GY+nu9GPE<1$jLjnm0_S7}Aae6zQ!D_@8E0GDR6*oUlmrNAagb_en^&JRqv!zMPrH
zR5$|HhzmM*T?qi@;6D&WrpO|?RaW9}0Jfvg`==68-qTB~Dw+Cs5@Bg$j58LSbmINV
z2&q}DXb6N)W
zwRbsoIhB^CI_*r1p5xPqhqx7NMH&LWefuCHNj=y6INYSXqEJ@t^1aFB@d{9~7+VAj
zRJP2H{YKVU0TFQa*7iPc7Qp(Br+r9$(Vomvb^841cl8GO#i;4q^2(glzDvdv6wpE3
zIf)hKc=922g7<&SFO~~6m!fsRKF8z91gKRCYjq_qMIpCO1C>lX;KDz_A}gQ5UOk#Y!{4(Dv2rsUi}7=o
z4NZGdPq*sS!QZ(|%|Wz7GJBk{)GT~G
zetQ~)w&M=Pg+(w9yH<;ui4ARvgh_}SaT583h)0qyn72DEcRr73e7snjC4)DA4CXuQ
zGt(n--J0&Mq$QA`dD5D?3Y|M^;wf7i_1&5-oy%fM8|S6K#X#JPZksDH01k8$ad~?B
zJRF`kh|Wn+P1XF8E^j@X%dX|Cwf$USZF0I;S7*5;dI8rp4ylf_TAW!&@wG1GZh8{c
zj_HOMR|sbUJcik}1RuuN?B%)k6q{|K?0ZDmK{T1VUC
zjQ+%$kTlJxF5Uu@H6Ibl24mr}1Pm>JDk*Begwl=&5u3lLd#vClXOMlE0bh?hRq1Nl
zdOUR435+C~+L9cZ6zpjmVZ@tae5X}1I|qx2i~GwLk8PKk^Oo+e!1o&!%(XH&m^liyk@saJ#m3G!5&2w}H;MTI4*ygv>af^J4OpA^B8Z
z+)kR(4Ui>GFnonoj_4mwII4S`s%^U6)-~NSS^Vj7JAhltptG#USejbc|vG-E6pqYDSvEhZm*RqP`j
zx)Ktm!!dySbA)f0;w`Fk@iD&}^WjRSg3%Nqy3)A^5~Oz
z{q|im&25?M$ooo^v=w}^PeiaBd3m?m7YbnPG)G?hNODOuJEzZV6(7t%TVei2=ml
zxcT|~Q(#Jy*_(ol>iQX}EXi}g%*PN#$Y}`?5{hkNNT;dcp{r%yQvMyn%AIIe=vIdH
z&Ic$WRoHcQI7_AxavfP~xYRaOMP1SvAP!De9F?Xm&c0RM@=)?M<&~l6u)Z!uoZs^g
z-K<+$y8cznI-@3LvAb9_kbJpxzbbNBKY64fgd$Jlr(Cj#=O`5GNTO^=`19@X0icRjy^`8!dcEvkrI
zYe<>VU8|@sSAU3sXGFviq!DE9ivayJrQ
zNPQ=vP}VfO-y_fe<@;ASUfgC3s#^}HgPl`tZPOq>kd0iOY_l{RKL*)f
z+RmO@klS{%MheNhydU!ZI2roZ$YM8yiS?XndSP(FzqY2ox><18J-^gCn$OTs6L~j`
ziYPW*>`_Y%He+AEZpM((V{EO%=qX`iNbMFjpQV93>C*SokU7It$VS`jKs~`yTV?M;P^383HfThDM{3OlCdD#
z=J#dZk9j+tjPqr-Q>zh_wQ?G)$;oOGL6O74k0G=gbj3-!1Ca`c29xCz%Pe26eJco=
z*mJu=Ukl)|lJL1T4R0?mb$UI$pp#NoZl|!;tO1g%EaErz`5$W)pIAGT}M+I#W!0-YNa@s5>n6XBva=X>ge}W(g662oAtV(lzNzrK3hD-kUne^;ZjakeO0p&QQ`aV$dHke)Wb+Q+&U=m8H
z4X3*yR7Jj|_f;t~pL6m(HYF9+fc9C;?DmC?C2TAgbgAl#q8Fmz5Sto)^Zl+!-p2Rh
zh^fsJQhFhNj=HuSB{Now^|fC?JKs0k*eFHE6YUqJ49D&(jJiQ#i?bM(JMHoG(h+;w
zR1&(jYU{YJ)6>a5S0gO%*fz}t;&V!ADN1GH!-4yY#a|Cc;lTLvFc>rGvk7L552CPG
zN(8)Z9(0e_SgO}#Y$+pfxfb@vYRqe9jCw}4E2$(vlS3i3!e%DcMP9lW
zDh@4}_-y8YHhrmz9WWX3;}uh3lJPl7-Ph9npgq+!1G~U+)P0pz8Tvps3{-roIUxms
zCn6oB`%gCqkZDi52?+Q+P;>9EJvBR3y$e)O5~*(;(~jxeo{BIT71tOujIZNTS0A6{
zF4nMNe|>wa!FV5QyBrd={;;_Tb@EFZ;Rva*-TJM?2_nzAon0F$9uzsN?xURHord6-
z&mW-*Fr_-)c4d18uNrGfwmY)Fri+^b-f3{(%vo7I$bgwsrzKxOWw^D=U0UbR#1#%S
zRlGn4#T)Ve-qIU`aA5r=tze<$bkRu4^+{*9AlQ@6kWzFi_2MPqp0*K!eg=M_2jUJgcyx#WD8*%hQPW=&dA!exO
z1PJT9d1V1viwL?P?l)(~wg`MbjF+{(7m-<=?7H^`9+;|Xs?{|!V8)eBRTiZ*dJM@K
z+78rA0ZFdEl7VwfH)~)fEV~06a>UP+>>I>e_9ROvbkWy_q!#hd$*7wFEt+wgPDy6r
zqaOTfja<~0j$)>9kVAY|KkvP3%9mvr>j(NPyY#|0m6!r_JJ;|>Q$C|dfHq|Z8
zWCx@Rw%3Vbg!b8G*UL}N`o>h2GiYd%asV6UeD9$-CSa(l_^2_?`WU_`iC9x4MA8I{zUgqsgV&Shpq(tYBoVP0?Ermw5Y
z3ht$zlWOJZ9p$B*GSZ+~N`j=!R!gV+lH|-89dA@!_7t+69p>wJ$cgYSg|#hD;1b2T
zNYLjy>pWez1Xf&aId~Z+i9to%t&cCgK`}`qyzY1U52vT=B2I6tZXu_j8e(L`!TszW
z_G1w)tv_FN%g?)1bF$i7XR$)am+Pa%o(PT;X)nddH+YeDh
zXUteCp%SG;@SJWbKz7OcldG)hFKOA(isX6P$>P{Vw$)DYTdu5|CtZ5N1)JRiZTAv%A?aRthkcvL}S=b&(3bnoo-ORM}>
zQOIyXUi>2nWlWX}ZJa_4
zQ*zvDaa8nPG*vGk9wwB`m^L<*f1Sbq)~MyBtfZ_ANtL{)Fg+$mZP$v9j@O6z
z)2`B%j-K|GQ!W(*F$Gq+m_rZlHMOrZ(=rdj<#&GFw(UOf76=kFsI`V4a{ci4OLfXI94ROCN$0DOrEFR{izg?L-s#vyp{*P%iwV5W7#HBp&z1ts3GuiL
zhM(yj=a%!GSuPBcqO@w3fY-Uwq0Q6Cv{=X1&?R_-J|?ESdB9BmLwID;J~6SaVGF8zVNHI_}kP34Av^R
zZ$_Shjh{zs%v2W`Yhl0~EE5K!$ZJdy&G1fOC9CcaIbD&+VfLqx^AL;)D#22ubJ-h-
zZ}`n2i9TKXfr9cJcK0LvPk288fp6zO^>ELwPwe!1PU>1{-7WefKls)*jbJ&>BP;J#
z^H)i78!{`q_}bag3=|#MRIJNs4NS~m!6BIGFLcbN7%h2tTvuj!!?mzhaz8{Ywl+j1
zti(1XV5&BN4Adna(la?PLJ;YB){OL>32G_@J(r9#Yk3-TriGX_ri`35_XXjte*xlU
zcRF>lk|o@*v|;rr@w1UcXg3m;DSo5|2gU~bH8l}b?fZAK5CP3Z2SWK`n{ouK^YF(~
zzN2!gYrCaku3a;=p}5jhQR3qO%`6)
z-Lg0J&Cn`d&q2;2?~wo;Sc6=sd0SXtE>2tc60WL+Na`0f*dTo&Hrm{pv|Wv|yzPkC;Bzz0!wPGJQv-rK1>A
zZ;MrTw#J!QIm63gt-&9Kb+KZeWS4`7O;z;czIYWWJPoadi`z`R@ww@4JGp0CUA;g8
z=$Qk_Lo!?b8kdq#9zC>9yU0;KpIQY+Si))H+v*-t?!n9OU854*Z4VmCqHB+&o%)N2
zVZ@*}5+ok3E&}DHePlaLo>zNW8%LW*NJ#)w;&9ZO8S#xx$gL3r(e7pj267H{#an}%
zkF@1wMNiuxuUtHm79T84eD&HA
z)_Z_6Twv52*0hTQx%**E%te5@Dtm?aAQvJ0p2
zA@a0(t)SbF-G-)wN4e3IWisc-Q;u)a9U9Cq&}_JDiBUJDf>kJ*HOx@44h&CqoPZU#
zr7(REP#V2&k?!^cD0@uP$7qFPYqs{Rh3SlYmCe1q%4yiPq<{7|x-f
z?{)1b9*F|!%6QOh5Yu5jY9;A)wT{sgoyl$rU52D7V^xGu4O-soZ20XOshLmYMdtRZ
z^NK#Ne#;B-bM4aZ!`2FR!7)Uhw)pmww8i87&d9{QZL9#785Ivrs#l1;(K9bAJzpA>
z<6iM57h0gdvR)JQ{|bosh#VGFHU$q`3G)pvL?QjNhTQKMnB$?_djX0m`D73oEd6+j
zar9lq*W}N9e4XCx+gv}Zf-ipZ#~cinD+8n-^&+q4nJs_HV#71T-8>BXLoo9u-K3Nv
z`lyOle7+_yPO8z*c(_@sck0W$^F^QGZhkKP_pL)$?9Y>Um}FQQvcRs*5qYCQ*_e%y
z%|zd{ZiVzrGT_Kk9@f@^t|=L$2I4VnW|fiMw=mg%uIw~PBE>HyHrXy2vR|D;0ZzZl
zhLg=Tm8bJZ<}iR7h-1)E^o&2-Fr%^Lycc<-F@w|I%c_r-u`Tz1zM?uoJjAfAdgUH(
zu6vv#FrNJ9o}eP;+Yi${ILjmZn+3@q0MbZ>{XbdZ2`1zB
zI;OZhXT=tsQ!B8v7kyXE5iRZJVEi*wy3(X7qwOkD7?uw8hn?>9vrNPg)8~V<)lq`g
zPB{=kcuH^h)9WHpuqx+gF+XFuPqh}Aiop_$kHjc1P|s+1Zui^~m)~Zd4AQ0!;!Bn-
z8Jn!`3d{oxTnr+s7jrx>HHg|IrRk%m2^1lBfmst@2Eb;B+d0mpQN3s)=}&C!$xCM#
zQYJRi)jP2Jw1(WpLw{=`?nLytElJ8U@qEyL=3QbPOR0E=0B69O(lz2ul!KimaP72Z
z+MvhYw8;oJXn;T>h#C-}9fEe)NR*^%^SobjQhNzCo`sv+<>4NlJ5I3iZPYX!$H9c$j+ygwGSDyN2E&*krfKQhizqCiHKMh81A4
zzD;xTk<&GdhRL5=l0TL1ZCRD;-}+5EE5=Vpj2*wf&i^hCPUx_)qiJ1;C2Lqfx+4-b`
z#>g@Q1-(bzWhD}Ll1Aeii($S_30aR#Q(CX?U381pU!#SB%h%Z_rHFYXk7|a*gwIC<
zv8^s6gg^rhZ1Ionz|?X=yHFXvv2W~gANQC>+!OqL-LX~#oIc=c0tCCyW7It8o7g@_
zQhdP>_zgV*f;ImsYVT_ta@b|xn%o!rfd5V|?HN{WwL)vbtNM$RNrg00&o9+R@IFBi
zyC`SX5^*kxS^4iTJmp;XYw(MycbgyN@FaXi%`ME_?8(QB=+2QugQ9CL$!f7m|AVx`
zGl4l1Qw6WFrwZeO{w?%$&U?K0D-aeNj1P0qjAKh1)oLyVQ9;t%E|Njz`l?c_wPk0A
z5{A99?Tzdej8hqG&&Le&s1jV((Qk0DQS=Xu8g+zrc{wcbg$WbQhkuew2@ZPkT^=@<
zEMY5w8uG0?2!Xr79khe42-3qPsY3+JbJHgLg=Ic$Tgy||;3#cc;N?ljw3eknw!7)x
z;^qOJEk6W8o(CxrJLai)V7a7;FPJshSLfGH5U5YWHzOh(JT;dWhK_sWoMR#SipR`A
z;KnF169#Pl9*!q3iI&FUk)fxm9{C=xCmFgxiM};I;%g8L%!Ru`{4p;EjM^LDc`=!f
z_4oCzK3$^4yIg+$^wB=bU3TjuP1K8fYup1jz4jRCO7X23WjNptU}~?pX^ZJu*lJTJ
z9x?R;=4_`9Po128nJ0Af{kPF%k2O{EYV||ShWm#w>El@(+8qOMBgVW_qb$P-ZsXV6
zs>^(fT08T7rXx)1X?r17c?K^H805NajuNXq4EnEt_c^{qU7n_k@i%8i>Adb|QIH$J
z$2SClyyyw(KTnY>M%0kvL-+q&tYi+M*Q*mz87Wno5ee?c?%eEsYH9lU=tuXhY~go&
zvhoqj8xvVnku7qVT{<5$ZpGNn+is}#_==zFAk-4AS&6pbUNC#OSLImfM0oF0aVhlo
zV4JNCS!16kpmVl6E2&oM8`7@IJ+U_2S6bZ`kLm;Hyp1`%WB0An+Cmy1m-g>)zo-xO
zdQ|y2;NKnXyfz_R*`ZNXChBnkVQa%dFfA`r%vJ5l(~9vAVEw~fUeP{n?D@-{#u{${8{7wz<~dQ>HX{J?Fz!f
zJzv>svA{OiGnMD}9JL)BZs`PMSzg(1{xgyOy=gH~%4M2(^K-9!vX$R;W@cuD-$Qu`
zBrD4;3lc>V7#3d}dIY#dyBM_0Ac`r}%Y_&|wE|o>C<%_yRQP)+4t4E|(X*PjPNFyk
zovvw#1Mc|)@yq6!)BKKk?fh#TWQAfG46iz`DsisTzBKqZ|Hw@1{%(KNevy32WUg8O
zdhYDD>OOz`2qc3N;ir3uR5!J>On)G~v}c)Cp9KakC52{*gfk3PEF0-H5;gKpc|JSZ
z_6m2=GrsFKv=pK>)w#e4%*~9~H&?>pV6okRF_VMa%6|Na<<1&6XIE-&6m=XA+!-(?hs%2BW!AvCSi4pG8p0Xt
z%ybl0y$EMJ+r&h;XoWbv!_95+xRo(7{gdqG7K5&>$Nc4atDX1GuWttFbNnAotf9{A
ziBs8U`<8p@NbG)b(kYtwH6ji1T6dR9Ac!MMKjk0rBMJt$dd
z=Hbed*vam`;JUNf;ca?MO-b2^ZHU2*ZJS`CBemRrD|``heV>1WrMg5JNP5RJUEEcs
zfD*;!^xah4n<0oS2naf8)>>^K6>>|ja5R00lfn`(u
z-Qrn}EV|=prc-;kNJAk~07jKHMP8%J?y5C6Skl4kE;1?(5CwB>8828+Tqc`9bcrMX|VVJ+E#SNY?n)${)>cK?Wk`P
z%C>wG%lOX0X!B4CL}t7%j}RBuORIeR(1n}jA`QAQk{em5=ej4-*qPZp=)0U^(N}Fa
zr@9=_cYSu}G@(Xj01c)ywj<+BAnLV=TsGL7e`XSsXHO@V4+4ZlDbtUnaZwtO#-LvqjPeDUQG&Z|U|b^u>j<
zX^HN$uWB)*R>8zq!&nr%Fl3G2^eA!~T_nOngeNm|;SehVrruO@ewx}h+iub=
zT0=XAh3Obl{h{ATH$Y!^LM`cP52WQ>8wrtsW%d;3ny@5T4=Eb{kY`Md)u1_?w55!4
z3Y!J6D_^v^%t2#!h(2l3?-Lta_k>s{4$ji(SQe+Ma_AQMM?4KUArbwQ&q8jsdE`8Vx>>oHcVi{3-_?9`NW-p7?aVe39aVFB*!+|6!RXM3zKPT4N1!^si12D+2
z9+^9p)StNRyB`GGpA(XXX)aju?%-HWg4-;TbcRc;0p_1wOkD>9w8oM6pP#97R8+rg~Z3%&KxJhjV)=@Si^Nt${3sre4qitn@ol>`kWl!8hfUI7??wPiVY
zvvVh)8dA7{P+1<&6ZWGjsCNK!Exeh{Adv{^X^VE<<{0c-bpG0(%SBf06fz@RDsU%C
z&Rw%rpl2izQ>ehb7cDQu!vy#q7PvJjnOGZ-I%ba6-`o(Q#;cePYlbfF&6;XHk#DVa
zz7e^sa%<7kIp$DEsW)-39Gv=;2K`0pEy7J`OiSko02AkPR%nwuwzD2P5Z@E@NrpU!@q(?*Ohv;kckdP2n&1+Aq
z{l+*mm|Ii;r4XkP)`B
zO3oCNMVmBlLNIs=dF)0bF~X+x=z;>O1NedsvEjtGBGr!Eg%TBEvKlEAj>6OC7^l7M
zZ|m92z}jM!3hAhIJwF~(1D)%tOcdiF3;4?)&y6ch8XBU_ZlM--h4|fj;)dZGb7uqO
z=g-8cp^XANHl|akYNb<(pwf~yZ5--wR5jb2X{#}9@z8ykSLw_34Ls+BCoRsc$#>lN
zL>UM6*&1jGB9gaax|7@iUrcd@6qnY>qeaQkcbgt3Cv&cNEmEUiFwBF^dUb2#+jYM*
zvi)6_1NN?o4M8N!xr{di!I0gOacl7H6~onR)X2@>YsgF>B94aUu4RPA^>Ys#3_yiz
zUKZd+i_~+Kt4xh@52uJ$S9B2%8JgQ}o${|Gcv5WuU`hFvMAIV-~#v!1>eM^GI
zkED_XR0b@>0bk-tLF-i^RA73n)*{Ee?oJaFp7pRdySvKFd=+&uV}42E)A(hCNlKLP
znx>l0{hJnhY2rL*WPC9>!`$C)^~K4*-D*pXEm;n-_~FyHG4g$HvEE+A!`cZ5og*UI
zcKX%E?J9eG=%I4WD;3dilpEe(Zc#bnOem?j$6b9QNcpp)=p7Vbxq9Ul?l3^=!iO&?
z#q@M@bDB-D*!Fzxl1_sO#~#^$>{eG>kRlhWh464!)`|M<1+9$2<5G2ch^It;nLsIw
z`^b0@(6%K@E2Y0vN?gR)LJh(&fKp+Hn2=4CExLf1y?$B5VcbMuV_sn_jJ@?Gao&Je*
z^;c9;d#`t`{k6|Og>M~A)hgD-0h+6KfxTg+cqTbNE@CWgs^C}%lPXpfNJFn(Im*49
zN#7`5p@{eIR?l;A628uT+&U_}8)nMbXE|Ec=>81)2{?+k%`>njCm~NR3{Z&&Jiz^?
z$p0moiiBC}hTp~nm#BsO++qaCC@ZM`3)4ERA^N8dY#%K>N5rHR>;e1wdrqG_W#fE)
zDne@c^(VrzhGu&6Cmyz3d`bnm_q_FZe}1(q$`dWhJ_8G`L-w2JVcgG8vL=U6Tj+(K
z1!ZdS;MT}2?5%uBIWrKepJA%jG%f=+>qqZxlY9}r678;ew6VKJxG~;+e{te-7EqFq
zW;aTyZ9v7mXWoG@pKETDgT<`S^1x9$3~+wqZuz
zyZqg@D&7*R_8h?vjDR*RP}H?m&GuZiX}v28xVZ-hUo%{o#^+X)L+G@zQVemKU~IjF
zJy3^3tmg)2@*az96hnR3ytLA6BU=7L<|uvrhpJqi(af#QPF++h@nI_l@e_SrgTRjVwj#b=ptP$~pdX-mh#9(G@qxSvDD
zDc8e*4W8RczxD(FMe0>V0b*#PHW)S0g^IoVs@YTZ3*twI7LuzoT@$8r;G9Jx|KRk2
zH{!Xnm>>Rqv+ZL5z7#n48!_Q}vJl;K*mA5{>B8j6w(l3;|yT0eFb615G;y)qAjaQv$>X&C`8m#5IEuSxa&fl*-U2<6pBIIkYTDUy9
zdaW&`ca{CS@NZwTP^>8r#us10^lhw<{QusCi^BH0FCOj;%aI>dB1pHr+!bJt!}
zbmL#jU+yj47<*o#dN|6{BZij+<%;Q;2gC+n)TZNROP!IEk}k752Mx}jr-fgs32KX3
zC3d*utn7Y(+eV)=J1~fgJYm+j-$+p0+5V;?vW#R-s^jvA`+Lg)TQ+2{-*D|{9F=R_
z7W?GH^+dq=79m)LsK>2la5r^n$SVV%R_km*Mxhz-UnF1oo&IWP2V|NIJV@2-*me%S
zDH+A6(*@VMmF60CGS6pr%ShSM@X$~rml$n&C#_v`7uWfeHa)fwP0qxUf%#!5HQM!$
z^ct~Pf1-+c4mDJ?MrJHDQW_3Wa8SSl3xyHidWUovOu`T^rX5Y?(5SkMG5Zz?Dd3Mf
z)}S=|@pP&_ScnJ-ZP9S8{}F=@2ABA>3RZESspB6wts_-!VwfuNS8sne?4Wpp@gm9^8@{L4y^t`v-wLr0Y%23T?x|t>;7?n0dq6}VTHac69Mz2SQ)vx{-`u!b3qu251G`C=an|5Y6BXG}0s`hULlM
zx`M_}8PB}H=vX`fB!T*b6-^O82C5?Iei6&{YJf84%9Txsf~FRA^tB_;OukZ#tj=9&XCp^H2ld?RxXmLN^-Ws2ZEMm05f(VJ>aP!_E+lHWtD;xiFv>-F
zD%0Es^k{LjOYX5kydolqRU-=cCwBo#y$R7)DRd|s=~a>Gj3LLL&zhUXvf~x52?DGk
z>wOyuv)Cz1uqun|#^GJ906!&~k#S4`p-lh!oW&e#o?Lc%&ONeud7Y)~YZYi(O&`)!
zan*%9UQPAdIN6d~LkVIqLxR$81TA5*BlROV7XxE*=9gG#Hrs4gp_s5N?v9-lD6_G0LbIsLoZ$>lt?p_zxtcf0(f7$CuQ~ob>&!hMS8>T$uy6^Ifq91D%?-S0|ik
zIAnh+0vxIKmy>zBh6u@O&4!f@pWFqRt(V6ir4t$;L&TyHikJ+1GVo
zzfCm$X&;1yjrt>Hj*w+7PGwsUF;0NhCS7LtZ|l8LMO#`Dx%r=Is)NY3g(4%^qvV4f
z|Fk?4{*xyiT*W*NPo>bGWbiyHrS2mqJApOc!of57Gxw8E54-yhDRqAOWRZZXD7)NY
zOY{1K>C=&cf6jSW(z3pk>q^2tc;7Swf#wT@9db)G&iB?*7DO|BWzsq|Y@@i?#yr%a
z_}v`ONX=n-D|U#|dBpYfot~18;VOx4oWhrv3XIMEw8}+=rlVt&l+a@Be`Qgfq3z`p
zWGR?u4Cx7pqh+7}qS5g=c|7IK#a`Lt71^TegkR}q{bZ*+p
zSM=$%CQfC>;Gpvsn_DbPLljJ(Omckrl-Fj0IbTxIk-3%yP#}zy696|1eO=#X^ZDI7
z>QrO-vsHIowqx7iKgEw>|I^3vFisc{xM6n~72+LKM!HNy3q*zd^rsUK
z&dlp$Wsi_xESE5;5)Y%Os_Ww>FAQ4CxU*PmAAA*=0{8Q6!C~e_pHBgJnjn_*|K8)TzNc^rB6Obq;MaWymo!}IjlY8l{yu9$9lyi`AsX(vNl
zt-XIXs(TB_=Kas>(}n66Ev;rorp%?cWmXyK10IUkThvK|Dn>5f{!-o(_N7J+hFLE+
z$h9prmM9Sb$WwVJu6q|TmTRLRB*pszXlek{b6sZHFfuSl9+`p<9EPc@tz8$u(Ej~F
zkjoot`^+DP->$;H5w+T?1WuKT<}8a&z)ki{(~XDyNbOR8^ziNJ%Eqc{sYkzd96C&4
zulDw9%nUVhO!UMWRs`(N!Fnsmj#RZ;ShD?Ml_RAQI$2BJ_A6crI{5cWXP#e;n(xy7
zsR(QP--gTI#n|8SZsqI$n7jQ4ID1Q3>{V1$)cU8k{OzF>@VtHbcdsM*|Brg|;eObh
zb8iGzJtLPp1wTfl20l9Y-%h)46+8i+*sNt$pndTW@#e%nuOwL6*|$PpZNfv7Osf8u(^aNT#};
zoGVt;*Lu8{_jHp{o4p;B7sevmjSMqlcE~^vMPzd#EK8NI(WC_+4%Y{B#NU2PU!cSQ
z+?5x(p&cibc?-=vmnM2dOGEb(^q`s=`TNLgZd`Nz0<)c7G92v0CJfMWC;;YMXW|7|s=?U=b`4cPHJPGxx!Vy&By;Ic_*_haUX^J(b$YRW%sn93Hd$8m2n
zHC=pIrP?y1d}Ts0MM(CUf^kUA^&mP*^@-cL+9ccW0$L=qJsFkp>MUb0Av71y%%Em3
z7&DD&r|Ida9g-uDUF`yB$x91ogDNCB!=DY6$F41Xn2NpP7@lfv{QPtC>S){+f4&Hm
zwNF2Y$9P^F_c2-zZaV&Ial`U!UA6QrYXCPrgTr=oaLdoN!7`uR0gyju><`}5X|wgZ
zp_5lp4p5|Ob3u~Yk^4i-n
z7+Rzd%DeK%LZqS3iNz75dlj#E*w$N>j;lMgdSoGOytWPSmQIFLT;$~mo?-Di%>p8b
zg-zFeOd-NP*;(#_mI5*Bf1n!3b2FA{*%5}-lCnH@_z&=>nbxfpY?FoKWw{2gO;Xyjk61OmX3G`!|H0MFFM9R8cx|{c}rJ&voDf8&a(CNbqS^d$qlPYzZ>ao
zDo=of*sf1JW#~E|AC6UKCX-WxdxzY;V)<^HD;=W7dVYg4K$KZj!9QckHz_?FYEHYT
z<2NLS4)x6^M{*+`qebyUG}?asGRhqx^u7~6|H!GOlkFLA0d0|A9z%ciQ|6ut4Xx3%
zoXcweBCmOenf(n;c7Eb;1eGYASZ`t6_E2(SwCTdxq_o|kko`UNphbBlI?`6r{TKV!oO539%rmy}(Z!sbgdEOP1>P#Fn>3Y2dwg1?-{nByw?
zygB(w?W}$i;JR3Z=tsUARHfVt>=DIptc7Niybh?9qJ_n@Aud%#qm(Rxz7zHLJi5ti
zqwM~VNwIqe%b_nK>-7$a4%|bXz=A_=3BCl|ID?)hVw(o;F?3DsqS5U-)G*!pkkvogW7zoeeJDR*sI`{+;XfoKP(YchID@
zt{-p8sPXt03C-`BUGx)OZUy%h^1#ikQEcNlgfv|)$;vn}j-6jkM`d=xs_nXz7MoPv
zxbrFZW$Nb3ee}!90hCjMCjOWZS!)RH^+vs;gac3jqxv^%aOBB6!f8hSXAvtPJx4Gb
zs=fv@i1&}5t~F!MP*sQ!qCNyi|$Bj3HMpo7|T0;Zun46U*-hEWEPO$D%sbFuw!&$s2PD~kC
z2T5C0Dm!i`Bo4aH-w5A_pyb+0zo)6xu&7*;?)7X~()Hn$hEH0j!7n|uRiL~^jW?kN
z3oY)Lq6b)zro50zNvS$b&h_429@2kN2M)EDVCUj4P-oq^Ug5#*c23w?l>8)V%BTBe
zbtlY16=5D00Exy4mW_oB2+1214FBv6rYb9Fkw&1R0=$G++E^ugqf_LfMdOsSxRmp~
zCUzBMPO&*nBs?@|p3Bc+(itL~jAIJjcn%KBJg)P6R1GcOt_=;n7a=l=EvBt50vLOm
z5bGvvrqX6cQ`B_fef*;maoU_Kev-__y{0T(;-h1&lj1G=z#l5~^Vy{VSF4F~wx=Q0
z9y|BYrNAx2EbD?L1WxpY!F8^UkzkZ;$p*47Y|0h~khS_H9fi?v1=zh3)30O3AiCr%
zVXu%yxxVXc?umsFP*xN#h~4N3krP}I+wow~HAVP1=YCr=#HpQTPJO^6DFK;~)=M@=w6YWSy3ZhfxAo5h7
zJ0kCL=<6%I4Z?nB$((nmx+M(~;^}&&QV)k4hc5EEJyi_L>tD92T-jCQe^rHiL_!4Y
z_X{Fhk04a1|hEeh&+`GeglgY&P
zTP&W(MXHY4jlFnrX2)-iF9hIW+s-XXBqC5)}#Z9=W8B16X$s#H%YsV2#@saZ=f;~oEGHR
z5@$v?kDQw-^sbBrEDvo+qDys(AmSxIit*|`)
zif-PCyQ{wh2&_0!ymc*>=UqPQBY!UyZ%`4N-1f&qD>%WCC#nYpPBWt32X{$lift
zxLo@=J3^8&_GPU=*0yS3uq#_PU&!0GLZw>iOESadB)
z%{mAD1}R@(h|F)+R|GqlBBD8#LnGK3--}IdU=DAGpwXv#T%Yz{uCIf`G8|yV=M$tv
z-3Q0>H|7GDOpMq_$!9i6I4Xx}Pafe0QU=R42N^8{+LRp0Z5Lt-+9HTlfcK$Bp#3j9J|kflDZ|v_*1c713*RR(FS}tI
zEhq^6lXvc`)XIm^7S$Ici8r5Q@)H2)bgpPguoMa_+>P$&ldmc4+>D`{>RwHb40SOy
z!vbdes$}4lrg#_iL#hG}p4YQitTz?)k+)Lk$n93vd16UTI3r~
z@7rq1_gk^P0=u~io=#c3@{|>h_u7HFh^`K24i7|0UiY`wWPIV4I=jSQi`vW2xG8Pc
zYvEgT*8=mBgnn9nIYoJ$rIH%GgSf9r;ApEMI{vm%J0ed&PcSxe8if3C`m`m0{B4@J
zWAyMfmF;EsfR*egstHW0vgoToJh>GUbPSV8R4=mOka#H{&4@fQpejVLaBVor6l@ULR!++jPrJ6O_=Qj
zN;}Hsy1PkF;TxDQrJsqbX4)>Prflw4q7qDN9Bi
z>^YO0t(M18|3<4{-bbVw62YtJ?2UIV#3c~$i`dgwvI?aQcO+o})Tn1U#p3(l190`@
zSJ==Fkx?=Ub-!=obd;)~Jd!#VFs{$!fk)h2LQja?_9_)7dIkBmYJ2?=A5!3p=>K?|$8>iQ7B
zM?^9$I1IL2FsE7~rk=aNxkU#xni^1LOCTlN`;MqSOvL*%d$+hs4rwz|oNaB{XT*;x
znEU!>IWddMi}y)S&0pWCZDcb?%tiHAe-zG-rVSCZ&LqMe!HQ=G$mnSoLGpiA>|u^-9DA
z>JRRh3bToqf2(=mJHN4z0mTf-Er?XV0-IbxBD1&0_uK9}Z1;&jNcr)9bY-@u!KF)N
z+8Wcv7-1;sun-_}(h=6lmV%bWx!r6i)B%3nXdesqeE0@uo(&a8$^LwV>69N1qr&W`
zsVcH&0$|0Tqy>18$kV&o*~SZZTzz*_PY`aUGW$Q$=tG)RRaffJeyVX
z*as(!oUyuNeEsJ>@?PDC>cnyZfsOZZRWj)`1rjRFdBmX*7nbTY9W~&JriqXKHS(r@
zQ+B>hY#3C~z2C*Cm|dz=GrJ{rVNh|iipfy2avnE=&3%4a>~$I(o2HZEc8A0mhwNPv
z7O?X7qHf&1?z!1Jx{cX4cph6I7+=X27gYi{>BnulB7B?qD5HKy{fjjXo}zfzkG0P1
z&qVdSn-`tHzwwX>)e0kfrR@hy6Hs1o-ak)gg2cVlJZ7FQ*pZYx9z2r}k#27o?vvTV
z%b`#(XR~M549QZ(6p>L68d#Li2z<6#*o73XIJx%ZTOFh>baNWdu|{`=sig^`|It5k9>z~%tp~y?6Bp(G1jWCf~K6A={3-4C0bl}z7mUC=d-Mfl&RsOG_ldQ
z&N#tOeX{;l|H2jT)8G>Zu0%SiPaZR(>&uX4j?#Mm<6EWboSR~q^7Ys0BVCwf5HG~LvND&=UquGf;~2Y
zrUyIUkF87zQaZb-7mz1fvtAP>l#U-S;hW%E6~9>qH`(va+}j|Y!_+7I`ZBS|=}97+
zG~ENud!kcF4Y&!P4^==O@llyq_=hFmL;U4sJTgEkBZP&x)iP%PsAf{YTmj&z4!mHg
zY2fvr5UN5bfZ%_Bu-M32%KxZJdm-InU8A$p6Il#YKQW~wgwzePIh%9Wu3dYczi{{_?bb=2W5qt16_-W+IVj;{R`Ium{-M%jN9R#bi70YY%>z%oK5T-XJ85s
zaV1mHPvY&qUIC2WKbjuX(WhF|H}pIj$Gd+?a%nxBaJ{7_h-U7=lRB)
z(`r6H@+yPqw-r&T?b#Abx4CHEGS0fDD3`!QQf~c`}URsg=u9SC)pko<#trQkGHC!vN4e6sZNTYT>ph3>@51}qzR6#mv
z&Y`_2tTAEkUe@$#dad<}AcA9`4<69+WUvWpf0S6g#Ypc)>Ic?*E2MEc`WoM5QGzly
zmY-v@ha%t~*=k>*O4D(L|C+3B-iqz&?CFzb+uQ8wd@zl|Dt*7FOEDF?6(2rY%fy%eoGxxVdW(Vprx91a>!V~V)X6yQEiZpv?0tX0ha{P&q7{VNQ
z9LDv)g1Ao;tu2nau0RJYvS-_2ojm7+aRt47{)>p^Kdh>Kib@Fnn48`L|G=!IgZBQ+
z2BAea(QYDu;p^F$$TZ-}*xpV5q#yReybG0iPOYP&?08avQ5#E@)B_4$FlcW)?S`*a
z+TYsV0*(4Ual5_R?rDSaNOMpPX#;~nOi9iG)h@ZSY|EOg4xjse(A7J+B>g%
zwf&ZcF}|_l`+Nyr;n#ul5&~yj{E@6y@gtVM+5`t~e4l0LMxKEh-)`PKS0Z{Hc{Nau
z1tgaZ?|AMg#1hu7rOQFrB0+@H9)hUa-e)kpeM1G9*VS&`PE0)L!EEq@Qj_iOYMPw_F$7#-6lr5HUa$IVntI6a{
zPRrYCz^PuL*gnmf)4vU686J-~>#PV+wL>!dSR{3e@ervDgkRrSk0{#C(Ym?IQ3TFK
z{lVx@ms#^p38Z^u0G&(cToTQL{MmjWS>H_C2bcAh^F
zp76eOyWsrde&GY%I>o%BMR)BkeE{6;UT0>`LZH_45KB}w4h?N6_+*GXed2`w)s%zk
z14|6Un;PA1Ip3B~%1caGq4zz;ppXoxQxA^OcN2oBKQ8j%_@(e~zzi4-2}wPd@l6Af
z+H(=jIP`KPlnOREU?9&%R@kXZrwoWSfBKtA&qUJEtByE6@YBCqUln5+HN0g!`{1yp
z=DHQ~YK28!M{(_~3$IA$M-h($#_rnlUk71n4HwUGm6bXlCrcx`6GbTIgd0&P&Smi^
zC6bWD^oLGa2jKLkonR!h6t9M^tzhQK#yT{~P$efnUm0}mQX8W1Fv>vcJ**#1WZL|S
z<^OVQr_WE_L3;GH0ApB;JL|QX90~}5Pr2wJ-Y2W@?vxnHv-8;b>q+y9MMwPjW7(_s
zoQJRb-HD3iVG(@=eeFhAAee3RF#ud1rD%
z=R0lDnOA`+>+o^}<5ydwr@JAsm?`{K#rZjEn3D6d*J{h;$MdJB%%*pWfZ{jRa%zcS
z-HeKUpxgTqL1tVwVW`q()u+r2caDFZtv>kSQfIHC!ODT7TXeBDzEA$`PBLb@wF(mw
zl}c!!@Q=gr47@{{Oq(}3LHN9MUC2Mz5=dP!qbZ@es&4%L8I3o(Jj#|X-DlN{zZSc1
zBRY9oc00J>*r94_AXFvw(XEHjcK&;hD?;&{{13V2iBIvd5&ggW4EZ!223F4xco)}c
zg`|>7heF2V{TRL-#kRKZs+OPQBRun{`Qs7i=LQDjbOmYIasgD{8I6YM+4ca(c9hAt
z>&nG#rDmJpS1QJkeK;M5^{%DcnS_-eh&(S0@V|UO?*@xM6QX@C|oWUbgV9^RfIJk=0W6TN)F8w?s%9jx}T@rvYuQ=z^@zxA?J@}+Y
z#B&`jpo`ZzAXkmjK+7S-<-E<#aFNbC&siko`0$MJG3>$49o$$4y%MkmW+^Ag90S5H$eSfE&T-H1kSI5o8k
z6naL3ICCDB_RVG3Mr=llZtsK9VaZ;Q)S_O3mn_yZd69t;rp4%Pk?TK+*+^U`jiJM8
zNu?z9p#^mOP@Ggvo_Qc2T>4l7d^+FD(KZopvEUS&VjkwGn>@E`a8?`w(+1&SK1o&!
z_tBic+Mpl*Lb8Wuc0=-kEPK7RBhM_5>@#1~6obM-;e8IQ-$?VZb1M$5MNIJV8XA
zI;ZLK+M?%E)Q+MJ%RRRKa@WO
zo#og;57!SPeBK8dH#WZ;em$g)H^ap19#3|BTQRd$famtS`||SFxZCz>*`aZ^ua5OA
zktR~JXk>qz@eQ7=X%N;k54wRoq^`n68fU=OLH}*!o32ZyBI^@vx3=v^Hg1>`mEr@F
zQiX?AwRIDf4-nKkhlcru&hx0MeobJG3?nj^}D>YF4T}aRE;i%;2XR`_*fn
z?V%BDm`I-nmN+~x9N1Ln_~c;UZoGZ;NX5r0$y4N(e(>=lB)@@f75X=9YK40x?sa$5
zidU*NQ9HT{DW8`cXUIiw3EiHoQN}#eM=kBKJtG8?`aOOpCdg6X+pH@Y=D4(Ts=HYdDiEzTIGCq?V>{`NHk+M&Y8tIcFOz#?ALc*cZZ6kURnWCzP?aZnzdZL8
zu{j(Q=;lO$UBzbPD?ZBRHNgg#v4IU$xhqG;f9|rVBoo6GUN>Z!yH0J&ZfESZgDB_f
zvwnP#qUQeHhe`taLrPbEEXA2CFeEI2r7DfV4R$ht0asFCqVs==P_+7QA{5pF%xBWJ
zrRyF)uF5@KPb32>7TrP!r5Ey^(0C0WZ1IY4{s!+~aoTgI1<_e5r#=0)I`W1?aftI?
z$=T1+%)!u{Ud^6-V^Iuz3K?jRYx^SoNzbuR9d^jCnaDtoE6;gg%Zi-5597Z|vW$rV
z#j2*1(#Iv+)dNvXGRZjp#=*jjQe6EX$5h?gowmALdGQUFhjs|RI>=Zrp6wWh*#MjP
zl>Ig#1EGPfc9bvAVf`U+hW?-CaIJj)pL(MIBMtHO_TdTQBTq0(&aSF`5wN~TlA>}V
JB|@Kk{uk4D6!ZW9
literal 0
HcmV?d00001
diff --git a/pub/js/options.js b/pub/js/options.js
index 871df93..5ef8239 100644
--- a/pub/js/options.js
+++ b/pub/js/options.js
@@ -391,7 +391,74 @@ function w3tc_starts_with(s, starts_with) {
return s.substr(0, starts_with.length) == starts_with;
}
+function w3tc_security_headers() {
+ var directive_description =
+ {
+ browsercache_security_hsts_directive:
+ {
+ maxage: 'The time, in seconds (as defined under the "Expires Header Lifetime" box of "Media & Other Files"), that the browser should remember that this site is only to be accessed using HTTPS. This only affects the site\'s main domain.',
+ maxagepre: 'The time, in seconds (as defined under the "Expires Header Lifetime" box of "Media & Other Files"), that the browser should remember that this site is only to be accessed using HTTPS with a request to be included in Chrome\'s HSTS preload list - a list of sites that are hardcoded into Chrome as being HTTPS only. This only affects the site\'s main domain.',
+ maxageinc: 'The time, in seconds (as defined under the "Expires Header Lifetime" box of "Media & Other Files"), that the browser should remember that this site is only to be accessed using HTTPS. This affects the site\'s subdomains as well.',
+ maxageincpre: 'The time, in seconds (as defined under the "Expires Header Lifetime" box of "Media & Other Files"), that the browser should remember that this site is only to be accessed using HTTPS with a request to be included in Chrome\'s HSTS preload list - a list of sites that are hardcoded into Chrome as being HTTPS only. This affects the site\'s subdomains as well.'
+ },
+ browsercache_security_xfo_directive:
+ {
+ same: "The page can only be displayed in a frame on the same origin as the page itself.",
+ deny: "The page cannot be displayed in a frame, regardless of the site attempting to do so.",
+ allow: "The page can only be displayed in a frame on the specified URL."
+ },
+ browsercache_security_xss_directive:
+ {
+ 0: "Disables XSS filtering.",
+ 1: "Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).",
+ block: "Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected."
+ },
+ browsercache_security_pkp_extra:
+ {
+ maxage: 'The time, in seconds (as defined under the "Expires Header Lifetime" box of "Media & Other Files"), that the browser should remember that this site is only to be accessed using one of the defined keys. This only affects the site\'s main domain.',
+ maxageinc: 'The time, in seconds (as defined under the "Expires Header Lifetime" box of "Media & Other Files"), that the browser should remember that this site is only to be accessed using one of the defined keys. This affects the site\'s subdomains as well.'
+ },
+ browsercache_security_pkp_report_only:
+ {
+ 0: 'This instructs the browser to enforce the HPKP policy.',
+ 1: 'This sets up HPKP without enforcement allowing you to use pinning to test its impact without the risk of a failed connection caused by your site being unreachable or HPKP being misconfigured.'
+ }
+ };
+ jQuery('#browsercache_security_hsts_directive,#browsercache_security_xfo_directive,#browsercache_security_xss_directive,#browsercache_security_pkp_extra,#browsercache_security_pkp_report_only').change(
+ function() {
+ jQuery('#' + jQuery(this).attr('id') + '_description').html('' + directive_description[jQuery(this).attr('id')][jQuery(this).val()] + '');
+ if (jQuery(this).attr('id') == 'browsercache_security_xfo_directive') {
+ if (jQuery(this).val() == 'allow') {
+ jQuery('#browsercache_security_xfo_allow').show();
+ }else {
+ jQuery('#browsercache_security_xfo_allow').hide();
+ }
+ }
+ });
+
+ if(jQuery('#browsercache_security_xfo_allow').length) {
+ if (jQuery('#browsercache_security_xfo_directive').val() == 'allow') {
+ jQuery('#browsercache_security_xfo_allow').show();
+ } else {
+ jQuery('#browsercache_security_xfo_allow').hide();
+ }
+ jQuery('#browsercache_security_hsts_directive,#browsercache_security_xfo_directive,#browsercache_security_xss_directive,#browsercache_security_pkp_extra,#browsercache_security_pkp_report_only').change();
+ }
+}
+
+function w3tc_csp_reference() {
+ W3tc_Lightbox.open({
+ id: 'w3tc-overlay',
+ close: '',
+ width: 890,
+ height: 660,
+ content: ''
+ });
+ jQuery('div#overlay,.lightbox-content').click(function() {
+ W3tc_Lightbox.close();
+ });
+}
jQuery(function() {
// general page
@@ -469,6 +536,8 @@ jQuery(function() {
['browsercache__cssjs__replace', 'browsercache__other__replace']);
w3tc_toggle2('browsercache_nocookies',
['browsercache__cssjs__nocookies', 'browsercache__other__nocookies']);
+
+ w3tc_security_headers();
// minify page
w3tc_input_enable('.html_enabled', jQuery('#minify__html__enable:checked').size());