• last updated 15 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
- added call to subsite::page_plugin callback to blank-master

- standardize spellings

  1. … 2 more files in changeset.
merged changes from the oacs-5-9 branch and resolved conflicts

  1. … 7828 more files in changeset.
try to re-init packages on apm-load to overcome problems with blueprint updates on AOLserver

  1. … 3 more files in changeset.
remove misleading comment about XHTML

Standardize spellings of names

  1. … 12 more files in changeset.
Fix spelling errors, use OpenACS

  1. … 4 more files in changeset.
Fix spelling errors

  1. … 13 more files in changeset.
- Tcl idioms: simplify access to first character

  1. … 8 more files in changeset.
Put CSP stuff in the installer page only when required (an error is thrown and we need the back button)

In such case, make the nonce attribute safer by using the proc instead of the (likely missing) variable

  1. … 1 more file in changeset.
Removed inline event handlers to comply with CSP

- improve HTML quoting

- replace onchange handler in installer by event listeners (just for the sake of completeness)

- make sure to call template::head::prepare_multirows after all body_scripts are created

- bump version to 5.9.1d6

  1. … 1 more file in changeset.
- remove unneeded expr statements

  1. … 5 more files in changeset.
bootstrap installer:

- added csp policy to the files upgradeable via apm

- bumped version number to 5.9.1d5

  1. … 3 more files in changeset.
file csp-collector.tcl was initially added on branch oacs-5-9.

    • -0
    • +0
    ./www/SYSTEM/csp-collector.tcl
- use subst instead of doublequotes

-- handle ie 11 (uses a different header field for CSP)

- move CSP generation to the end

  1. … 1 more file in changeset.
- Refine security policies: when necessary, define both a nonce and a

'unsafe-inline' to ensure compatibility on some less adavanced

browsers

- use same "secure" setting for ad_session_id, otherwise, just the

last one is honored

- fix linefeed and semicolon in js for focus handling

  1. … 2 more files in changeset.
- add CSP nonce to script tags if nonce value is available

- turn function definition of acs_Focus() into a conditionally defined

body-script

- turn "body_event_handlers" into "window.addEventListener"

  1. … 3 more files in changeset.
- Added support for W3C Content Security Policy(CSP)

* For details about CSP, see https://www.w3.org/TR/CSP/

* New calls:

security::csp::nonce:

Generate a CSP nonce token token

security::csp::require /directive/ /value/:

Add a requirements of a page to the CSP in order to generate

later a tailored policy with the minimal permissions for

this page. For example, the following requirement is

currently added per default to the oacs-master template to

permit style tags and style attribites in the markup.

security::csp::require style-src 'unsafe-inline'

security::csp::render:

Generate a policy from the requirements

* Added Kernel Parameter CSPEnabledP to activate/desctivate CSP

(default on)

- Bump version numbers

acs-tcl to 5.9.1d11

acs-bootstrap-installer to 5.9.1d4

acs-kernel to 5.9.1d17

  1. … 6 more files in changeset.
- add support for W3C Subresource Integrity (SRI)

* For details about SRI, see https://www.w3.org/TR/SRI/

* Added arguments -crossorigin and -integrity

to the following functions

template::add_body_script

template::add_script

template::head::add_javascript

template::head::add_link

template::head::add_script

* Updated blank-master.adp

- some more cleanup:

* remove commented out code

* add missing argument documentation

(template::head::add_javascript)

* document arguments alphabetically

  1. … 3 more files in changeset.
- simplify blank-master (replace per richtext-editor hacks by new plugin interface)

- bump version number to 5.9.1d2

  1. … 1 more file in changeset.
- Use global variables to reduce lock contention on busy sites:

* $::acs::default_database replaces [nsv_get db_default_database .]

* $::acs::known_database_types replaces [nsv_get ad_known_database_types .]

- Cache db_driverkey per-thread (variable ::acs::db_driverkey($dbn))

to reduce high number of locks

  1. … 4 more files in changeset.
- add editor hints to keep spaces/tabs in the furture more consistent

  1. … 750 more files in changeset.
- reset array "error" in case of initial install problems (array conflicts with scalar variable)

- remove trailing .html from doc references (to allow e.g. .adp as well)

  1. … 4 more files in changeset.
- Improve robustness of blank-master: malformed lists in subsite

parameters could render a subsite useless and hard to correct.

Now the validity of lists is checked, errors are written to the

error.log, invalid parameters are ignored.

- added flat list syntax for ThemeCSS specs (easier to read)

- added parameter ThemeJS similar to ThemeCSS (ability to add head and

body scripts)

- added generalized function template::add_script with non-pos

parameter "-section" which might be "head" or "body" to make both

kind of scripts available to ThemeJS

  1. … 11 more files in changeset.
- optional performance boost for site-nodes:

the site-node code contains an optional performance booster,

that speeds up site-node operations froma factor of 2 to

several thousand times. The performance boost ist just

available for the time being for PostgreSQL, XOTcl2 and

NaviServer and is only activated, when these componentes

are available.

- bump version numbers

  1. … 4 more files in changeset.
- improve validity for HTML5

  1. … 1 more file in changeset.