• last updated 14 hours ago
Constraints: committers
Constraints: files
Constraints: dates
Use NaviServer feature "ns_deletecookie ... -samesite $samesite ..." when available.

  1. … 2 more files in changeset.
use common "icanuse" idioms

  1. … 1 more file in changeset.
improve cross references in apidoc

  1. … 1 more file in changeset.
- Fix a tricky Tcl_Obj sharing bug triggered by the usage of C-level

IndexObjs based on volatile tables. Consider the following example:

proc foo {x} {

return [bar -value x ...]


The Tcl_Obj "x" is shared as name of argument and as a value of the

non-positional parameter "-value". When bar (e.g. C-implemented)

uses Tcl_GetIndexFromObj*() to lookup "x" in a table of options,

which is volatile, the involved Tcl_Obj will be converted to an


On a call with wrong number of arguments( e.g."foo 1 2 3"), Tcl

will try to give a nice error message, saying that "foo x" can be

called only with one argument. When printing argument "x", it sees

that "x" is an indexObj, and for these kinds of objects, "x" might

be an abbreviated version of a full name. Since the table behind

the indexObj is in the case above volatile, a crash might happen.

The committed fix above is just a temporary measure. NaviServer should

try to avoid such Tcl_Obj conversions in these cases. It is also

questionable, whether the attempt to interpret a argument name as

an abbreviated.

Whitespace cleanup

    • -14
    • +13
improve spelling

  1. … 15 more files in changeset.
improve spelling

  1. … 14 more files in changeset.
- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see


This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

  1. … 2 more files in changeset.
don't raise exception when folder_path is empty

  1. … 1 more file in changeset.
make spelling of names more consistent

  1. … 5 more files in changeset.
improve documentation

    • -11
    • +10
  1. … 10 more files in changeset.
factor out naviserver and aolserver specific code

    • -0
    • +191
  1. … 2 more files in changeset.