Mercurial > p > roundup > code

diff roundup/cgi/actions.py @ 5217:17b213eab274

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add nonce to embedded script references. This should allow these scripts to execute with a nonce-.... content security policy (csp). However there is still a lot of inline javascript that a web developer needs to look at and rewrite the inline javascript (onsubmit, onclick ..) to be applied by a nonce authorized javascript library that adds event listeners. Ref: https://csp.withgoogle.com/docs/adopting-csp.html#refactor-inline-event-handlers-and-javascript-uris
author John Rouillard <rouilj@ieee.org>
date Thu, 23 Mar 2017 21:08:30 -0400
parents a9ace22e0a2f
children bc16d91b7a50 35b30ce991d0 2d61e39b89c8
line wrap: on
line diff
--- a/roundup/cgi/actions.py	Wed Mar 22 22:03:01 2017 -0400
+++ b/roundup/cgi/actions.py	Thu Mar 23 21:08:30 2017 -0400
@@ -998,9 +998,10 @@
         # to want to reload the page, or something)
         return '''<html><head><title>%s</title></head>
             <body><p><a href="%s">%s</a></p>
-            <script type="text/javascript">
+            <script nonce="%s" type="text/javascript">
             window.setTimeout('window.location = "%s"', 1000);
-            </script>'''%(message, url, message, url)
+            </script>'''%(message, url, message,
+                          self.client.client_nonce, url)
 
 class ConfRegoAction(RegoCommon):
     def handle(self):
Roundup Issue Tracker: http://roundup-tracker.org/