Mercurial > p > roundup > code
comparison roundup/cgi/KeywordsExpr.py @ 5217:17b213eab274
Add nonce to embedded script references.
This should allow these scripts to execute with a nonce-.... content
security policy (csp). However there is still a lot of inline
javascript that a web developer needs to look at and rewrite the
inline javascript (onsubmit, onclick ..) to be applied by a nonce
authorized javascript library that adds event listeners.
Ref: https://csp.withgoogle.com/docs/adopting-csp.html#refactor-inline-event-handlers-and-javascript-uris
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Mar 2017 21:08:30 -0400 |
| parents | 0142b4fb5a2d |
| children | 7d276bb8b46d |
comparison
equal
deleted
inserted
replaced
| 5216:6a4317738a90 | 5217:17b213eab274 |
|---|---|
| 3 | 3 |
| 4 WINDOW_CONTENT = '''\ | 4 WINDOW_CONTENT = '''\ |
| 5 <h3>Keyword Expression Editor:</h3> | 5 <h3>Keyword Expression Editor:</h3> |
| 6 <hr/> | 6 <hr/> |
| 7 <div id="content"></div> | 7 <div id="content"></div> |
| 8 <script type="text/javascript"> | 8 <script nonce="%(nonce)s" type="text/javascript"> |
| 9 <!-- | 9 <!-- |
| 10 | 10 |
| 11 var NOT_OP = "-2"; | 11 var NOT_OP = "-2"; |
| 12 var AND_OP = "-3"; | 12 var AND_OP = "-3"; |
| 13 var OR_OP = "-4"; | 13 var OR_OP = "-4"; |
| 263 prop = request.form.getfirst("property") | 263 prop = request.form.getfirst("property") |
| 264 | 264 |
| 265 window_content = WINDOW_CONTENT % { | 265 window_content = WINDOW_CONTENT % { |
| 266 'prop' : prop, | 266 'prop' : prop, |
| 267 'keywords': items_to_keywords(list_nodes(request)), | 267 'keywords': items_to_keywords(list_nodes(request)), |
| 268 'original': '' | 268 'original': '', |
| 269 'nonce': request.client.client_nonce | |
| 269 } | 270 } |
| 270 | 271 |
| 271 return window_content | 272 return window_content |
| 272 | 273 |
| 273 # vim: set et sts=4 sw=4 : | 274 # vim: set et sts=4 sw=4 : |