Index: openacs-4/packages/acs-tcl/acs-tcl.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/acs-tcl.info,v
diff -u -r1.70.2.19 -r1.70.2.20
--- openacs-4/packages/acs-tcl/acs-tcl.info 6 Sep 2016 17:33:55 -0000 1.70.2.19
+++ openacs-4/packages/acs-tcl/acs-tcl.info 13 Sep 2016 08:23:29 -0000 1.70.2.20
@@ -9,7 +9,7 @@
f
t
-
+
OpenACS
The Kernel Tcl API library.
2016-05-15
@@ -18,7 +18,7 @@
GPL version 2
3
-
+
Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -r1.78.2.28 -r1.78.2.29
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 12 Sep 2016 08:29:49 -0000 1.78.2.28
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 13 Sep 2016 08:23:29 -0000 1.78.2.29
@@ -2021,7 +2021,7 @@
}
# security::csp::require style-src 'unsafe-inline'
- ad_proc -public ::security::csp::require {directive value} {
+ ad_proc -public ::security::csp::require {{-force:boolean} directive value} {
Add a single value to a CSP directive
@directive name of the directive (such as e.g. style-src)
@value allowed source for this page (such as e.g. unsafe-inline)
@@ -2030,6 +2030,13 @@
if {![info exists $var] || $value ni [set $var]} {
lappend $var $value
}
+ if {$force_p} {
+ ns_log notice "CSP: forcing $directive $value"
+ set var ::__csp__directive_forced($directive)
+ if {![info exists $var] || $value ni [set $var]} {
+ lappend $var $value
+ }
+ }
}
ad_proc -public ::security::csp::render {} {
@@ -2059,7 +2066,18 @@
# some security checkers just look for 'unsafe-inline' and
# downgrade the rating without honoring the 'nonce-src'.
#
- security::csp::require script-src 'nonce-$nonce'
+ # Another problem is mixed content. When we set the nonce-src
+ # and 'unsafe-inline', and a browser honoring nonces ignores
+ # the 'unsafe-inline', but some javascript framework requires
+ # it (e.g ckeditor4), we have a problem. Therefore, an
+ # application can force "'unsafe-inline'" which means that we
+ # do not set the nonce-src in such cases.
+ #
+ if {![info exists ::__csp__directive_forced(script-src)]
+ || "'unsafe-inline'" ni $::__csp__directive_forced(script-src)
+ } {
+ security::csp::require script-src 'nonce-$nonce'
+ }
# We need for the time being 'unsafe-inline' for style-src,
# otherwise not even the style attribute (e.g.