• last updated 19 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
- add CSP directives

- use addEventListener instead of onclick markup for wiki-search,

edit-tags and popular-tags

- fix popular tags link

- regenerated template files

- added scp directives for yui

- bump version number to 5.9.1d12

    • -3
    • +3
    /openacs-4/packages/xowiki/xowiki.info
    • -1
    • +1
    /openacs-4/packages/xowiki/lib/view.tcl
- use always template::head procs

- bump version number to 0.150

- add required CSP directives; turn "body_handler -event onload" into a body_script

- add CSP directive "img-src 'self'" per default

- CSP-reform: turn hrefs with javascript: URLs into body_scripts with eventListener for "click"

- reduce verbosity

- CSP-reform: turn onclick handler into body_script with eventListener

- composition-rel reform: add one more type-cast

- add CSP nonce to script tags if nonce value is available

- turn function definition of acs_Focus() into a conditionally defined

body-script

- turn "body_event_handlers" into "window.addEventListener"

- Improved compatiblity with PostgreSQL before 9.2:

don't use SQL-language function names to reference parameters to

obtain compatibility for earlier PostgreSQL versions

(see https://www.postgresql.org/docs/9.2/static/release-9-2.html

item E.19.3.9.3)

- fix upgrade script for PostgreSQL before 9.2: the old version checked

already the version number, but actually the SQL compilation failed

due to the unknown "IF EXISTS" for sequences.

- add required CSP directives

- update dependences on acs-tcl for CSP

- upgrade CKEditor version to 4.5.11

- bump version number to 5.9.1d11

    • -4
    • +4
    /openacs-4/packages/xowiki/xowiki.info
- add required CSP directives

- update dependences for CSP

- upgrade CKEditor version to 4.5.10

- bump version number to 0.6

- turn hardcoded inline script into a template::add_body_script to use CSP nonces

- bump version number to 1.3d15

    • -2
    • +2
    /openacs-4/packages/forums/forums.info
- use functions rather than strings in js setTimeout() for CSP

- use template::add_body_script to get csp nonces generated

- bump version to 0.47

- Added support for W3C Content Security Policy(CSP)

* For details about CSP, see https://www.w3.org/TR/CSP/

* New calls:

security::csp::nonce:

Generate a CSP nonce token token

security::csp::require /directive/ /value/:

Add a requirements of a page to the CSP in order to generate

later a tailored policy with the minimal permissions for

this page. For example, the following requirement is

currently added per default to the oacs-master template to

permit style tags and style attribites in the markup.

security::csp::require style-src 'unsafe-inline'

security::csp::render:

Generate a policy from the requirements

* Added Kernel Parameter CSPEnabledP to activate/desctivate CSP

(default on)

- Bump version numbers

acs-tcl to 5.9.1d11

acs-bootstrap-installer to 5.9.1d4

acs-kernel to 5.9.1d17

    • -2
    • +2
    /openacs-4/packages/acs-tcl/acs-tcl.info
- new function ::security::nonce_token to generate a nonce token as described in W3C Content Security Policy

- use "filter_return" in cases, where we can map the .adp file and improve documentation

- add support for W3C Subresource Integrity (SRI)

* For details about SRI, see https://www.w3.org/TR/SRI/

* Added arguments -crossorigin and -integrity

to the following functions

template::add_body_script

template::add_script

template::head::add_javascript

template::head::add_link

template::head::add_script

* Updated blank-master.adp

- some more cleanup:

* remove commented out code

* add missing argument documentation

(template::head::add_javascript)

* document arguments alphabetically

- bring version in www (in cvs) in sync with version from packages/acs-bootstrap-installer/installer/www/

- provide a better error message in case the request processor fails early

- Implements "Upgrade Insecure Requests" headers:

W3C Candidate Recommendation

https://www.w3.org/TR/upgrade-insecure-requests/

- security::redirect_to_secure: add flag "-script_abort" to make it

usable in filter procs (ad_script_abort triggers errors without

error message)

- security::get_secure_location:

* align implementation to function documentation (to make it usable

for sub-sites). Last version returned always the "configured

secure" location, not the "current secure location"

* replace regexps by util::split_location/util::join_location/

- add missing expand operator

- add kernel parameter to make ad_session_id cookies secure (useful on sites, where all sessions are via https, improves security rating on e.g. mozillas observatory tool)

- provide default masters in case no theme provides a template

file plain-streaming-head.adp was initially added on branch oacs-5-9.

file plain-streaming-head.tcl was initially added on branch oacs-5-9.