Plugin headers and CSP (Gitlab issue #44)
Prep for stricter script-src: Add headers, remove js onload, move init call to the js Add nonces to all scripts, can't use yet due to innerHTML (see Gitlab issue #45)
This commit is contained in:
zzz
@ -150,4 +150,8 @@ var revision = -1
|
||||
var pathToDir = new Map()
|
||||
|
||||
var sortKey = "Directory"
|
||||
var sortOrder = "descending"
|
||||
var sortOrder = "descending"
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initAdvancedSharing();
|
||||
}, true);
|
||||
|
||||
@ -318,3 +318,7 @@ function hideComment(infoHash) {
|
||||
var commentSpan = document.getElementById("comment-"+infoHash)
|
||||
commentSpan.innerHTML = ""
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initBrowse();
|
||||
}, true);
|
||||
|
||||
@ -208,3 +208,7 @@ function initCertificates() {
|
||||
setInterval(refreshCertificates, 3000)
|
||||
setTimeout(refreshCertificates, 1)
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initCertificates();
|
||||
}, true);
|
||||
|
||||
@ -29,3 +29,7 @@ function initConnectionsCount() {
|
||||
setInterval(refreshConnectionsCount, 3000);
|
||||
setTimeout(refreshConnectionsCount, 1);
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initConnectionsCount();
|
||||
}, true);
|
||||
|
||||
@ -219,3 +219,7 @@ function initDownloads() {
|
||||
setInterval(refreshDownloader, 3000)
|
||||
setTimeout(refreshDownloader,1);
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initDownloads();
|
||||
}, true);
|
||||
|
||||
@ -400,4 +400,8 @@ var feedsSortOrder = "descending"
|
||||
var itemsSortKey = "Name"
|
||||
var itemsSortOrder = "descending"
|
||||
|
||||
var expandedComments = new Map()
|
||||
var expandedComments = new Map()
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initFeeds();
|
||||
}, true);
|
||||
|
||||
@ -237,3 +237,7 @@ var downloadersSortKey = "Downloader"
|
||||
var downloadersSortOrder = "descending"
|
||||
var certificatesSortKey = "Name"
|
||||
var certificatesSortOrder = "descending"
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initFileDetails();
|
||||
}, true);
|
||||
|
||||
@ -347,4 +347,8 @@ function unpublish(nodeId) {
|
||||
xmlhttp.open("POST", "/MuWire/Feed", true)
|
||||
xmlhttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
|
||||
xmlhttp.send("action=unpublish&file=" + encodedPath)
|
||||
}
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initFiles();
|
||||
}, true);
|
||||
|
||||
@ -141,7 +141,7 @@ function refreshTable() {
|
||||
xmlhttp.send()
|
||||
}
|
||||
|
||||
function initFiles() {
|
||||
function initFilesTable() {
|
||||
setInterval(refreshStatus, 3000)
|
||||
setTimeout(refreshStatus, 1)
|
||||
|
||||
@ -239,3 +239,7 @@ function unpublish(path) {
|
||||
xmlhttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
|
||||
xmlhttp.send("action=unpublish&file=" + path)
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initFilesTable();
|
||||
}, true);
|
||||
|
||||
@ -908,3 +908,11 @@ function initGroupByFile() {
|
||||
setInterval ( refreshStatus, 3000);
|
||||
setTimeout ( refreshStatus, 1);
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
if (bySender) {
|
||||
initGroupBySender();
|
||||
} else {
|
||||
initGroupByFile();
|
||||
}
|
||||
}, true);
|
||||
|
||||
@ -25,3 +25,7 @@ function initStatus() {
|
||||
setInterval(refreshStatus, 3000);
|
||||
setTimeout(refreshStatus, 1);
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initStatus();
|
||||
}, true);
|
||||
|
||||
@ -27,3 +27,7 @@ function _t(s, p) {
|
||||
rv = rv.replace("{0}", p);
|
||||
return rv;
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initTranslate(jsTranslations);
|
||||
}, true);
|
||||
|
||||
@ -371,3 +371,7 @@ function initTrustLists() {
|
||||
setTimeout(fetchRevision, 1)
|
||||
setInterval(fetchRevision, 3000)
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initTrustLists();
|
||||
}, true);
|
||||
|
||||
@ -273,3 +273,7 @@ function initTrustUsers() {
|
||||
setTimeout(fetchRevision, 1)
|
||||
setInterval(fetchRevision, 3000)
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initTrustUsers();
|
||||
}, true);
|
||||
|
||||
@ -85,3 +85,7 @@ function initUploads() {
|
||||
setInterval(refreshUploads, 3000)
|
||||
setTimeout(refreshUploads,1);
|
||||
}
|
||||
|
||||
document.addEventListener("DOMContentLoaded", function() {
|
||||
initUploads();
|
||||
}, true);
|
||||
|
||||
@ -19,9 +19,9 @@ Core core = (Core) application.getAttribute("core");
|
||||
<html>
|
||||
<head>
|
||||
<%@include file="css.jsi"%>
|
||||
<script src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/sign.js?<%=version%>" type ="text/javascript"></script>
|
||||
<script>
|
||||
<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/sign.js?<%=version%>" type ="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" type="text/javascript">
|
||||
function copyFullId() {
|
||||
copyToClipboard("full-id")
|
||||
alert("Full ID copied to clipboard")
|
||||
@ -29,7 +29,7 @@ function copyFullId() {
|
||||
openAccordion = 3;
|
||||
</script>
|
||||
</head>
|
||||
<body onload="initConnectionsCount();">
|
||||
<body>
|
||||
<%@include file="header.jsi"%>
|
||||
<aside>
|
||||
<%@include file="searchbox.jsi"%>
|
||||
|
||||
@ -13,14 +13,14 @@ String helptext = Util._t("Use this page to configure advanced settings for each
|
||||
<html>
|
||||
<head>
|
||||
<%@ include file="css.jsi"%>
|
||||
<script src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/tables.js?<%=version%> type="text/javascript"></script>
|
||||
<script src="js/advancedSharing.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%> type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/advancedSharing.js?<%=version%>" type="text/javascript"></script>
|
||||
<script type="text/javascript">
|
||||
openAccordion = 2;
|
||||
</script>
|
||||
</head>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initAdvancedSharing();">
|
||||
<body>
|
||||
<%@ include file="header.jsi"%>
|
||||
<aside>
|
||||
<div class="menubox-divider"></div>
|
||||
|
||||
@ -22,19 +22,19 @@ if (request.getParameter("currentHost") != null) {
|
||||
<html>
|
||||
<head>
|
||||
<%@ include file="css.jsi"%>
|
||||
<script src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/certificates.js?<%=version%> type="text/javascript"></script>
|
||||
<script src="js/tables.js?<%=version%> type="text/javascript"></script>
|
||||
<script src="js/browse.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/certificates.js?<%=version%> type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%> type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/browse.js?<%=version%>" type="text/javascript"></script>
|
||||
|
||||
<% if (currentBrowse != null) { %>
|
||||
<script>
|
||||
<script nonce="<%=cspNonce%>" type="text/javascript">
|
||||
currentHost="<%=currentBrowse%>"
|
||||
</script>
|
||||
<% } %>
|
||||
|
||||
</head>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initBrowse(); initCertificates();">
|
||||
<body>
|
||||
<%@ include file="header.jsi"%>
|
||||
<aside>
|
||||
<div class="menubox-divider"></div>
|
||||
|
||||
@ -31,7 +31,7 @@ Exception error = (Exception) application.getAttribute("MWConfigError");
|
||||
openAccordion = 2;
|
||||
</script>
|
||||
</head>
|
||||
<body onload="initConnectionsCount();">
|
||||
<body>
|
||||
<%@include file="header.jsi"%>
|
||||
<aside>
|
||||
<%@include file="searchbox.jsi"%>
|
||||
|
||||
@ -18,10 +18,10 @@ String helptext = Util._t("This page shows the files you are currently downloadi
|
||||
<html>
|
||||
<head>
|
||||
<%@include file="css.jsi"%>
|
||||
<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/download.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/download.js?<%=version%>" type="text/javascript"></script>
|
||||
</head>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initDownloads();">
|
||||
<body>
|
||||
<%@include file="header.jsi"%>
|
||||
<aside>
|
||||
<%@include file="searchbox.jsi"%>
|
||||
|
||||
@ -16,13 +16,13 @@ String helptext = Util._t("Every MuWire user can have a file feed to publish sha
|
||||
<html>
|
||||
<head>
|
||||
<%@ include file="css.jsi"%>
|
||||
<script src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/certificates.js?<%=version%> type="text/javascript"></script>
|
||||
<script src="js/tables.js?<%=version%> type="text/javascript"></script>
|
||||
<script src="js/feeds.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/certificates.js?<%=version%> type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%> type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/feeds.js?<%=version%>" type="text/javascript"></script>
|
||||
|
||||
</head>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initFeeds(); initCertificates();">
|
||||
<body>
|
||||
<%@ include file="header.jsi"%>
|
||||
<aside>
|
||||
<div class="menubox-divider"></div>
|
||||
|
||||
@ -17,16 +17,16 @@ File file = Util.getFromPathElements(path);
|
||||
<html>
|
||||
<head>
|
||||
<%@ include file="css.jsi"%>
|
||||
<script src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/tables.js?<%=version%> type="text/javascript"></script>
|
||||
<script src="js/fileDetails.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%> type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/fileDetails.js?<%=version%>" type="text/javascript"></script>
|
||||
|
||||
<script>
|
||||
<script nonce="<%=cspNonce%>" type="text/javascript">
|
||||
path="<%=path%>"
|
||||
</script>
|
||||
|
||||
</head>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initFileDetails();">
|
||||
<body>
|
||||
<%@ include file="header.jsi"%>
|
||||
<aside>
|
||||
<div class="menubox-divider"></div>
|
||||
|
||||
@ -32,20 +32,23 @@
|
||||
<html>
|
||||
<head>
|
||||
<%@include file="css.jsi"%>
|
||||
<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/certificates.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/search.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/certificates.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" type="text/javascript">
|
||||
<% if (groupBy.equals("sender")) { %>
|
||||
var bySender = true;
|
||||
<% } else { %>
|
||||
var bySender = false;
|
||||
<% } %>
|
||||
</script>
|
||||
<script nonce="<%=cspNonce%>" src="js/search.js?<%=version%>" type="text/javascript"></script>
|
||||
<% if (request.getParameter("uuid") != null) {%>
|
||||
<script>
|
||||
<script nonce="<%=cspNonce%>" type="text/javascript">
|
||||
uuid="<%=request.getParameter("uuid")%>"
|
||||
</script>
|
||||
<% } %>
|
||||
</head>
|
||||
<% if (groupBy.equals("sender")) { %>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initGroupBySender(); initCertificates();">
|
||||
<% } else { %>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initGroupByFile(); initCertificates();">
|
||||
<% } %>
|
||||
<body>
|
||||
<%@include file="header.jsi"%>
|
||||
<aside>
|
||||
<%@include file="searchbox.jsi"%>
|
||||
|
||||
@ -17,12 +17,12 @@ String buildNumber = (String)application.getAttribute("buildNumber");
|
||||
<html>
|
||||
<head>
|
||||
<%@ include file="css.jsi"%>
|
||||
<script src="js/status.js?<%=version%>" type="text/javascript"></script>
|
||||
<script>
|
||||
<script nonce="<%=cspNonce%>" src="js/status.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" type="text/javascript">
|
||||
openAccordion = 3;
|
||||
</script>
|
||||
</head>
|
||||
<body onload="initConnectionsCount(); initStatus();">
|
||||
<body>
|
||||
<%@ include file="header.jsi"%>
|
||||
<aside>
|
||||
<div class="menubox-divider"></div>
|
||||
|
||||
@ -19,16 +19,16 @@ if (viewAs == null)
|
||||
<html>
|
||||
<head>
|
||||
<%@ include file="css.jsi"%>
|
||||
<script src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<% if (viewAs.equals("tree")) { %>
|
||||
<script src="js/files.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/files.js?<%=version%>" type="text/javascript"></script>
|
||||
<% } else { %>
|
||||
<script src="js/filesTable.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/filesTable.js?<%=version%>" type="text/javascript"></script>
|
||||
<% } %>
|
||||
|
||||
</head>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initFiles();">
|
||||
<body>
|
||||
<%@ include file="header.jsi"%>
|
||||
<aside>
|
||||
<div class="menubox-divider"></div>
|
||||
|
||||
@ -11,14 +11,14 @@ String helptext = Util._t("This page shows the trust lists of the users you have
|
||||
<html>
|
||||
<head>
|
||||
<%@ include file="css.jsi"%>
|
||||
<script src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/trustLists.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/trustLists.js?<%=version%>" type="text/javascript"></script>
|
||||
<script type="text/javascript">
|
||||
openAccordion = 1;
|
||||
</script>
|
||||
</head>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initTrustLists();">
|
||||
<body>
|
||||
<%@ include file="header.jsi"%>
|
||||
<aside>
|
||||
<%@include file="sidebar.jsi"%>
|
||||
|
||||
@ -12,14 +12,14 @@ String helptext = Util._t("This page shows the users you have marked as Trusted
|
||||
<html>
|
||||
<head>
|
||||
<%@ include file="css.jsi"%>
|
||||
<script src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/trustUsers.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/trustUsers.js?<%=version%>" type="text/javascript"></script>
|
||||
<script type="text/javascript">
|
||||
openAccordion = 1;
|
||||
</script>
|
||||
</head>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initTrustUsers();">
|
||||
<body>
|
||||
<%@ include file="header.jsi"%>
|
||||
<aside>
|
||||
<%@include file="sidebar.jsi"%>
|
||||
|
||||
@ -18,10 +18,10 @@ String helptext = Util._t("This page shows the files you are currently uploading
|
||||
<html>
|
||||
<head>
|
||||
<%@include file="css.jsi"%>
|
||||
<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script src="js/upload.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" src="js/upload.js?<%=version%>" type="text/javascript"></script>
|
||||
</head>
|
||||
<body onload="initTranslate(jsTranslations); initConnectionsCount(); initUploads();">
|
||||
<body>
|
||||
<%@include file="header.jsi"%>
|
||||
<aside>
|
||||
<%@include file="searchbox.jsi"%>
|
||||
|
||||
@ -1,10 +1,22 @@
|
||||
<%
|
||||
|
||||
String cspNonce = Integer.toHexString(net.i2p.util.RandomSource.getInstance().nextInt());
|
||||
|
||||
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||
// TODO after removing innterHTML: script-src 'self' 'unsafe-inline' 'nonce-" + cspNonce + "'
|
||||
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
|
||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||
response.setHeader("Accept-Ranges", "none");
|
||||
response.setHeader("Referrer-Policy", "no-referrer");
|
||||
%>
|
||||
<title>MuWire ${version}</title>
|
||||
<link href="i2pbote.css?${version}" rel="stylesheet" type="text/css">
|
||||
<link href="muwire.css?${version}" rel="stylesheet" type="text/css">
|
||||
<link rel="icon" type="image/png" href="images/muwire.png" />
|
||||
<script src="js/conncount.js?${version}" type="text/javascript"></script>
|
||||
<script src="js/translate.js?${version}" type="text/javascript"></script>
|
||||
<script src="js/accordion.js?${version}" type="text/javascript"></script>
|
||||
<script type="text/javascript">
|
||||
<script src="js/conncount.js?${version}" nonce="<%=cspNonce%>" type="text/javascript"></script>
|
||||
<script src="js/translate.js?${version}" nonce="<%=cspNonce%>" type="text/javascript"></script>
|
||||
<script src="js/accordion.js?${version}" nonce="<%=cspNonce%>" type="text/javascript"></script>
|
||||
<script nonce="<%=cspNonce%>" type="text/javascript">
|
||||
var jsTranslations = '<%=Util.getJSTranslations()%>';
|
||||
</script>
|
||||
|
||||
Reference in New Issue
Block a user