• last updated 16 hours ago
Constraints: committers
Constraints: files
Constraints: dates
release work

  1. … 3 more files in changeset.
cvs update for copied file

  1. … 1 more file in changeset.
added page contract

address issue #3435 (many thanks to Michael Aram)

  1. … 1 more file in changeset.
provide plain (default) (default) (default) (default) (default) (default) (default) (default) favicon

use usual spelling convention

Bring files on oacs-5-10 in sync with HEAD

  1. … 15 more files in changeset.
Cleanup trailing whitespace

  1. … 6 more files in changeset.
Fix typo

merged changes from the oacs-5-9 branch and resolved conflicts

  1. … 7832 more files in changeset.
commit after merge conflict

Prevent errors in between of a release upgrade when system still has not render_widgets proc defined. Users should restart the server asap anyway.

bootstrap installer:

- added csp policy to the files upgradeable via apm

- bumped version number to 5.9.1d5

  1. … 3 more files in changeset.
-- handle ie 11 (uses a different header field for CSP)

- move CSP generation to the end

  1. … 1 more file in changeset.
- Refine security policies: when necessary, define both a nonce and a

'unsafe-inline' to ensure compatibility on some less adavanced


- use same "secure" setting for ad_session_id, otherwise, just the

last one is honored

- fix linefeed and semicolon in js for focus handling

  1. … 2 more files in changeset.
- add csp-collector

file csp-collector.tcl was initially added on branch oacs-5-9.

    • -0
    • +0
- add CSP nonce to script tags if nonce value is available

- turn function definition of acs_Focus() into a conditionally defined


- turn "body_event_handlers" into "window.addEventListener"

  1. … 3 more files in changeset.
- Added support for W3C Content Security Policy(CSP)

* For details about CSP, see https://www.w3.org/TR/CSP/

* New calls:


Generate a CSP nonce token token

security::csp::require /directive/ /value/:

Add a requirements of a page to the CSP in order to generate

later a tailored policy with the minimal permissions for

this page. For example, the following requirement is

currently added per default to the oacs-master template to

permit style tags and style attribites in the markup.

security::csp::require style-src 'unsafe-inline'


Generate a policy from the requirements

* Added Kernel Parameter CSPEnabledP to activate/desctivate CSP

(default on)

- Bump version numbers

acs-tcl to 5.9.1d11

acs-bootstrap-installer to 5.9.1d4

acs-kernel to 5.9.1d17

  1. … 6 more files in changeset.
- add support for W3C Subresource Integrity (SRI)

* For details about SRI, see https://www.w3.org/TR/SRI/

* Added arguments -crossorigin and -integrity

to the following functions






* Updated blank-master.adp

- some more cleanup:

* remove commented out code

* add missing argument documentation


* document arguments alphabetically

  1. … 3 more files in changeset.
- bring version in www (in cvs) in sync with version from packages/acs-bootstrap-installer/installer/www/

- regenerated documentation, including changelog

  1. … 123 more files in changeset.
- added version info

- update for js and flat list support

- improve validity for HTML5

  1. … 1 more file in changeset.
- provide minimal support for ckeditor4 (via CDN)

- added changes from antonio to pass handling for unknown editor to the master templates

  1. … 2 more files in changeset.
- improve safety of HTML

  1. … 1 more file in changeset.
- provide defaults for Content-Style-Type and Content-Script-Type

  1. … 1 more file in changeset.
- stick in oacs-5-8 to the old praxis and load core.js in oacs-5-9 as body script

- include js function acs_Focus() in head such that core.js can be

added safely as body_script

- remove obsolete handling for document.getElementById()

  1. … 1 more file in changeset.