archive/oddmuse
2
0
Fork 0
forked from github/kensanata.oddmuse
Code Pull Requests Activity

Compare commits

base: archive:2.4.0
Branches Tags
archive:namespaces-fastcgi archive:main archive:common-mark archive:old-master archive:as/encode_utf8 archive:as/looking-for-mojolicious archive:csp archive:unicodeicons archive:mojolicious archive:return-objects archive:cleaning-locks archive:crypto archive:fake-time-2 archive:fake-time archive:new-file-upload archive:use-warnings-in-core archive:as/warnings-and-taint-checking-branch
archive:2.4.2 archive:2.4.1 archive:2.4.0 archive:2.3.16 archive:2.3.15 archive:2.3.14 archive:2.3.13 archive:2.3.12 archive:2.3.11a archive:2.3.10 archive:2.3.9 archive:2.3.8 archive:2.3.7 archive:2.3.6 archive:2.3.5 archive:2.3.4 archive:2.3.3 archive:2.3.2 archive:2.3.1 archive:2.3.0 archive:2.2.6 archive:2.2.5 archive:2.2.4 archive:2.2.3 archive:2.2.2 archive:2.2.1 archive:2.2 archive:2.1 archive:2.0.1 archive:2.0 archive:0.0 github:0.0 github:2.0 github:2.0.1 github:2.1 github:2.2 github:2.2.1 github:2.2.2 github:2.2.3 github:2.2.4 github:2.2.5 github:2.2.6 github:2.3.0 github:2.3.1 github:2.3.10 github:2.3.11a github:2.3.12 github:2.3.13 github:2.3.14 github:2.3.15 github:2.3.16 github:2.3.2 github:2.3.3 github:2.3.4 github:2.3.5 github:2.3.6 github:2.3.7 github:2.3.8 github:2.3.9 github:2.4.0 github:2.4.1 github:2.4.2
...
compare: archive:csp
Branches Tags
archive:main archive:namespaces-fastcgi archive:common-mark archive:old-master archive:as/encode_utf8 archive:as/looking-for-mojolicious archive:csp archive:unicodeicons archive:mojolicious archive:return-objects archive:cleaning-locks archive:crypto archive:fake-time-2 archive:fake-time archive:new-file-upload archive:use-warnings-in-core archive:as/warnings-and-taint-checking-branch github:main github:common-mark github:old-master github:as/encode_utf8 github:as/looking-for-mojolicious github:csp github:unicodeicons github:mojolicious github:return-objects github:cleaning-locks github:crypto github:fake-time-2 github:fake-time github:new-file-upload github:use-warnings-in-core github:as/warnings-and-taint-checking-branch
archive:2.4.2 archive:2.4.1 archive:2.4.0 archive:2.3.16 archive:2.3.15 archive:2.3.14 archive:2.3.13 archive:2.3.12 archive:2.3.11a archive:2.3.10 archive:2.3.9 archive:2.3.8 archive:2.3.7 archive:2.3.6 archive:2.3.5 archive:2.3.4 archive:2.3.3 archive:2.3.2 archive:2.3.1 archive:2.3.0 archive:2.2.6 archive:2.2.5 archive:2.2.4 archive:2.2.3 archive:2.2.2 archive:2.2.1 archive:2.2 archive:2.1 archive:2.0.1 archive:2.0 archive:0.0 github:0.0 github:2.0 github:2.0.1 github:2.1 github:2.2 github:2.2.1 github:2.2.2 github:2.2.3 github:2.2.4 github:2.2.5 github:2.2.6 github:2.3.0 github:2.3.1 github:2.3.10 github:2.3.11a github:2.3.12 github:2.3.13 github:2.3.14 github:2.3.15 github:2.3.16 github:2.3.2 github:2.3.3 github:2.3.4 github:2.3.5 github:2.3.6 github:2.3.7 github:2.3.8 github:2.3.9 github:2.4.0 github:2.4.1 github:2.4.2

2 Commits
2.4.0 ... csp

Author SHA1 Message Date
Aleks-Daniel Jakimenko-Aleksejev
eda34108e1 All CSP parameters should start with - 
This is best described by the docs:
“Each argument name is preceded by a dash. Neither case nor order matters in
the argument list. -type, -Type, and -TYPE are all acceptable. In fact, only
the first argument needs to begin with a dash. If a dash is present in the
first argument, CGI.pm assumes dashes for the subsequent ones.”

We construct our own hash %headers and then pass that to $q->header. Since
hash values are not ordered in any way (in fact the order is pretty much
random), sometimes CSP things will be at the front of the list. Since there
was no leading dashes, these were interpreted as something else.
 2015-11-02 21:27:41 +02:00
Aleks-Daniel Jakimenko-Aleksejev
39a59e257f Content Security Policy 
For now, it is turned off by default, but we should try to turn it on as soon
as we can (this will require us to make sure that nothing in the codebase is
using inline javascript).

By default, everything from 'self' is allowed. This is good enough and I don't
think that it should be stricter.

style-src is set to * (anywhere!) because of the default stylesheet (which is
fetched from oddmuse.org) and also because of the “css=” query option.

img-src is set to * because linking to external images is a very common thing.
 2015-11-01 04:35:37 +02:00
1 changed files with 9 additions and 0 deletions
Expand all files Collapse all files

9
wiki.pl
View File

@@ -101,6 +101,9 @@ our $EditPass //= ''; # Whitespace separated passwords.
our $PassHashFunction //= ''; # Name of the function to create hashes
our $PassSalt //= ''; # Salt will be added to any password before hashing
our $UseCsp = 0; # 1 = enable Content Security Policy # TODO should be enabled by default
our %CspDirectives = ('default-src' => ["'self'"], 'style-src' => ['*'], 'img-src' => ['*']); # CSP directives
our $BannedHosts = 'BannedHosts'; # Page for banned hosts
our $BannedCanRead = 1; # 1 = banned cannot edit, 0 = banned cannot read
our $BannedContent = 'BannedContent'; # Page for banned content (usually for link-ban)
@@ -2303,6 +2306,12 @@ sub GetHttpHeader {
$headers{-Content_Encoding} = $encoding if $encoding;
my $cookie = Cookie();
$headers{-cookie} = $cookie if $cookie;
if ($UseCsp) {
my $csp = join '; ', map { join ' ', $_, @{$CspDirectives{$_}} } sort keys %CspDirectives;
$headers{'-Content-Security-Policy'} = $csp;
$headers{'-X-Content-Security-Policy'} = $csp; # required for IE
$headers{'-X-Webkit-CSP'} = $csp; # required for UC browser
}
if ($q->request_method() eq 'HEAD') {
print $q->header(%headers), "\n\n"; # add newlines for FCGI because of exit()
exit; # total shortcut -- HEAD never expects anything other than the header!