• last updated 22 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
don't depend on the node-id cache, which is only available, when xotcl-core is loaded

  1. … 4 more files in changeset.
acs::per_request_cache: standardize per-request caching

- added per-request cache verfsy similar to acs::per_thread_cache

- use per-request-cache on several occasions

- bump version number of acs-tcl to 5.10.0d35

  1. … 9 more files in changeset.
fix typos

  1. … 1 more file in changeset.
move ad_get_host_node_map and security-locations-host-names from db_cache_pool to partitioned cache

  1. … 3 more files in changeset.
update comments concering CSP "report-to" directive

remove useless semicolon

provde a global variable as transitional code for controlling passing of password as query variable

  1. … 2 more files in changeset.
don't pass sensitive information (e.g. password) as query variable, but use client properties instead.

see also issue #3344

  1. … 5 more files in changeset.
moved "populate_secrect" to "sec_*" prefix to reduce clobbering of global namespace

  1. … 6 more files in changeset.
addres kernel_id always via variable rathen than via method

backport security patch from oacs-5-10

  1. … 1 more file in changeset.
add IPv6 loopback address as well as "always accepted" for web testing

allow always 127.0.0.1 in logindata as valid peer

don't trust login_cookie, when no session_cookie is provided

improve cross references in apidoc

  1. … 1 more file in changeset.
improve spelling

  1. … 1 more file in changeset.
improve spelling

  1. … 15 more files in changeset.
use the random number generator from OpenSSL, when available

  1. … 1 more file in changeset.
make debugging line more meaningful

Delete unneeded line

improve protection against attacked cookies

CSP: allow frame-ancestors

CSP: add default rules for form-action and frame-ancestors

improve spelling

  1. … 14 more files in changeset.
improve spelling

  1. … 6 more files in changeset.
CSP: add connect-src default rule

keep chain on session_ids in case the sessions change

- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see

https://www.owasp.org/index.php/SameSite

This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

  1. … 2 more files in changeset.
activate warnings in case the old IE bug is still around

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

  1. … 4 more files in changeset.