Index: openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl,v diff -u -r1.2.2.7 -r1.2.2.8 --- openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl 9 Sep 2016 08:12:25 -0000 1.2.2.7 +++ openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl 12 Sep 2016 08:29:49 -0000 1.2.2.8 @@ -239,7 +239,8 @@ if (document.forms[form_name].elements[element_name].type == 'hidden') return; document.forms[form_name].elements[element_name].focus(); - }} + }; + } append focus_script "acs_Focus('${form_name}', '${element_name}');\n" template::add_body_script -script $focus_script } else { Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v diff -u -r1.78.2.27 -r1.78.2.28 --- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 9 Sep 2016 08:27:11 -0000 1.78.2.27 +++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 12 Sep 2016 08:29:49 -0000 1.78.2.28 @@ -340,9 +340,17 @@ Logs the user out. } { set domain [parameter::get -parameter CookieDomain -package_id [ad_acs_kernel_id]] - - ad_unset_cookie -domain $domain -secure f ad_session_id - ad_unset_cookie -domain $domain -secure t ad_session_id + # + # Use the same "secure" setting for unsetting the cookie as it was + # used for setting the cookie. The implementation is not 100% + # correct, for cases, when the parameter value for + # "SecureSessionCookie" was altered during a session, but this + # should be a seldom border case. + # + ad_unset_cookie -domain $domain -secure [expr {[parameter::get \ + -parameter SecureSessionCookie \ + -package_id [ad_acs_kernel_id] \ + -default 0] ? "t" : "f"}] ad_session_id ad_unset_cookie -domain $domain -secure f ad_user_login ad_unset_cookie -domain $domain -secure t ad_secure_token ad_unset_cookie -domain $domain -secure t ad_user_login_secure @@ -2038,9 +2046,18 @@ security::csp::require script-src 'self' security::csp::require style-src 'self' security::csp::require img-src 'self' + security::csp::require font-src 'self' # - # Always add the nonce-token to script-src + # Always add the nonce-token to script-src. Note, that nonce + # definition comes via CSP 2, which - at the current time - is + # not supported by all browsers interpreting CSPs. We could + # add a "unsafe-inline" here, since the spec defines that when + # 'unsafe-inline' and a 'nonce-source' is used, the + # 'unsafe-inline'" will have no effect + # (https://w3c.github.io/webappsec-csp/ ยง 6.6.2.2.). However, + # some security checkers just look for 'unsafe-inline' and + # downgrade the rating without honoring the 'nonce-src'. # security::csp::require script-src 'nonce-$nonce' @@ -2049,26 +2066,12 @@ # style="...">) would be allowed. # security::csp::require style-src 'unsafe-inline' - + # - # Check for invalid combination to avoid unexpected behavior + # Define a report URI to ease debugging. CSP 3 will support a + # "report-to" directive, but will still support "report-uri". # - foreach directive {script-src style-src} { - # - # The combination of 'unsafe-inline' with a hash or nonce is - # not possible, since 'unsafe-inline' is ignored in such - # cases. - # - set var ::__csp__directive($directive) - if {[info exists $var] && "'unsafe-inline'" in [set $var]} { - foreach prefix {nonce sha256 sha384 sha512} { - set p [lsearch -glob [set $var] '$prefix-*'] - if {$p > -1} { - set $var [lreplace [set $var] $p $p] - } - } - } - } + security::csp::require report-uri /SYSTEM/csp-collector.tcl set policy "" foreach directive { Index: openacs-4/www/blank-master.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/www/blank-master.tcl,v diff -u -r1.56.2.8 -r1.56.2.9 --- openacs-4/www/blank-master.tcl 9 Sep 2016 08:12:25 -0000 1.56.2.8 +++ openacs-4/www/blank-master.tcl 12 Sep 2016 08:29:49 -0000 1.56.2.9 @@ -239,7 +239,8 @@ if (document.forms[form_name].elements[element_name].type == 'hidden') return; document.forms[form_name].elements[element_name].focus(); - }} + }; + } append focus_script "acs_Focus('${form_name}', '${element_name}');\n" template::add_body_script -script $focus_script } else {