• last updated 17 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
- reduce verbosity

- CSP-reform: turn onclick handler into body_script with eventListener

- composition-rel reform: add one more type-cast

- add CSP nonce to script tags if nonce value is available

- turn function definition of acs_Focus() into a conditionally defined

body-script

- turn "body_event_handlers" into "window.addEventListener"

- Improved compatiblity with PostgreSQL before 9.2:

don't use SQL-language function names to reference parameters to

obtain compatibility for earlier PostgreSQL versions

(see https://www.postgresql.org/docs/9.2/static/release-9-2.html

item E.19.3.9.3)

- fix upgrade script for PostgreSQL before 9.2: the old version checked

already the version number, but actually the SQL compilation failed

due to the unknown "IF EXISTS" for sequences.

- add required CSP directives

- update dependences on acs-tcl for CSP

- upgrade CKEditor version to 4.5.11

- bump version number to 5.9.1d11

    • -4
    • +4
    /openacs-4/packages/xowiki/xowiki.info
- add required CSP directives

- update dependences for CSP

- upgrade CKEditor version to 4.5.10

- bump version number to 0.6

- turn hardcoded inline script into a template::add_body_script to use CSP nonces

- bump version number to 1.3d15

    • -2
    • +2
    /openacs-4/packages/forums/forums.info
- use functions rather than strings in js setTimeout() for CSP

- use template::add_body_script to get csp nonces generated

- bump version to 0.47

- Added support for W3C Content Security Policy(CSP)

* For details about CSP, see https://www.w3.org/TR/CSP/

* New calls:

security::csp::nonce:

Generate a CSP nonce token token

security::csp::require /directive/ /value/:

Add a requirements of a page to the CSP in order to generate

later a tailored policy with the minimal permissions for

this page. For example, the following requirement is

currently added per default to the oacs-master template to

permit style tags and style attribites in the markup.

security::csp::require style-src 'unsafe-inline'

security::csp::render:

Generate a policy from the requirements

* Added Kernel Parameter CSPEnabledP to activate/desctivate CSP

(default on)

- Bump version numbers

acs-tcl to 5.9.1d11

acs-bootstrap-installer to 5.9.1d4

acs-kernel to 5.9.1d17

    • -2
    • +2
    /openacs-4/packages/acs-tcl/acs-tcl.info
- new function ::security::nonce_token to generate a nonce token as described in W3C Content Security Policy

- use "filter_return" in cases, where we can map the .adp file and improve documentation

- add support for W3C Subresource Integrity (SRI)

* For details about SRI, see https://www.w3.org/TR/SRI/

* Added arguments -crossorigin and -integrity

to the following functions

template::add_body_script

template::add_script

template::head::add_javascript

template::head::add_link

template::head::add_script

* Updated blank-master.adp

- some more cleanup:

* remove commented out code

* add missing argument documentation

(template::head::add_javascript)

* document arguments alphabetically

- bring version in www (in cvs) in sync with version from packages/acs-bootstrap-installer/installer/www/

- provide a better error message in case the request processor fails early

- Implements "Upgrade Insecure Requests" headers:

W3C Candidate Recommendation

https://www.w3.org/TR/upgrade-insecure-requests/

- security::redirect_to_secure: add flag "-script_abort" to make it

usable in filter procs (ad_script_abort triggers errors without

error message)

- security::get_secure_location:

* align implementation to function documentation (to make it usable

for sub-sites). Last version returned always the "configured

secure" location, not the "current secure location"

* replace regexps by util::split_location/util::join_location/

- add missing expand operator

- add kernel parameter to make ad_session_id cookies secure (useful on sites, where all sessions are via https, improves security rating on e.g. mozillas observatory tool)

- provide default masters in case no theme provides a template

file plain-streaming-head.adp was initially added on branch oacs-5-9.

file plain-streaming-head.tcl was initially added on branch oacs-5-9.

- reduce redundancy handling legacy network drivers

- simplify code

- fix bug for host-node-mapped subsites: on the (subsite) admin-page

of a host-node-mapped subsites, the link to site-wide-admin should

always point to the main site.

- add new helper function util::configured_location to address the bug

above to return the configured location as configured for the

current network driver. While [util_current_location] honors the

virtual host information of the host header field,

util::configured_location returns the main configured location

(probably the main subsite).

- extend [util_driver_info]

* make the passed-in array name optional and to return always a dict

* include the configured host name in the result (dict/array)

- add cross references via @see to make it easier to switch between

related functions

- bump version number of acs-tcl to 5.9.1d10 and acs-subsite to

5.9.1d7 to address dependencies

    • -2
    • +2
    /openacs-4/packages/acs-tcl/acs-tcl.info
- improve labels on "install from repo" (distinguish between "install" and "upgrade")

- fix potential problem, when form objs is already preloaded

    • -2
    • +5
    /openacs-4/packages/xowf/tcl/xowf-procs.tcl
Removed unnecesary exists, causing problems at least when form field file is used as repeat field, not showing the add button properly

- adding missing $ sign