Mercurial > p > roundup > code
changeset 5217:17b213eab274
Add nonce to embedded script references.
This should allow these scripts to execute with a nonce-.... content
security policy (csp). However there is still a lot of inline
javascript that a web developer needs to look at and rewrite the
inline javascript (onsubmit, onclick ..) to be applied by a nonce
authorized javascript library that adds event listeners.
Ref: https://csp.withgoogle.com/docs/adopting-csp.html#refactor-inline-event-handlers-and-javascript-uris
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Mar 2017 21:08:30 -0400 |
| parents | 6a4317738a90 |
| children | 44f7e6b958fe |
| files | roundup/cgi/KeywordsExpr.py roundup/cgi/actions.py roundup/cgi/templating.py |
| diffstat | 3 files changed, 8 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/roundup/cgi/KeywordsExpr.py Wed Mar 22 22:03:01 2017 -0400 +++ b/roundup/cgi/KeywordsExpr.py Thu Mar 23 21:08:30 2017 -0400 @@ -5,7 +5,7 @@ <h3>Keyword Expression Editor:</h3> <hr/> <div id="content"></div> -<script type="text/javascript"> +<script nonce="%(nonce)s" type="text/javascript"> <!-- var NOT_OP = "-2"; @@ -265,7 +265,8 @@ window_content = WINDOW_CONTENT % { 'prop' : prop, 'keywords': items_to_keywords(list_nodes(request)), - 'original': '' + 'original': '', + 'nonce': request.client.client_nonce } return window_content
--- a/roundup/cgi/actions.py Wed Mar 22 22:03:01 2017 -0400 +++ b/roundup/cgi/actions.py Thu Mar 23 21:08:30 2017 -0400 @@ -998,9 +998,10 @@ # to want to reload the page, or something) return '''<html><head><title>%s</title></head> <body><p><a href="%s">%s</a></p> - <script type="text/javascript"> + <script nonce="%s" type="text/javascript"> window.setTimeout('window.location = "%s"', 1000); - </script>'''%(message, url, message, url) + </script>'''%(message, url, message, + self.client.client_nonce, url) class ConfRegoAction(RegoCommon): def handle(self):
--- a/roundup/cgi/templating.py Wed Mar 22 22:03:01 2017 -0400 +++ b/roundup/cgi/templating.py Thu Mar 23 21:08:30 2017 -0400 @@ -2904,7 +2904,7 @@ def base_javascript(self): return """ -<script type="text/javascript"> +<script nonce="%s" type="text/javascript"> submitted = false; function submit_once() { if (submitted) { @@ -2920,7 +2920,7 @@ HelpWin.focus () } </script> -"""%self.base +"""%(self._client.client_nonce,self.base) def batch(self, permission='View'): """ Return a batch object for results from the "current search"