• last updated 14 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
-- handle ie 11 (uses a different header field for CSP)

- move CSP generation to the end

  1. … 1 more file in changeset.
- Refine security policies: when necessary, define both a nonce and a

'unsafe-inline' to ensure compatibility on some less adavanced

browsers

- use same "secure" setting for ad_session_id, otherwise, just the

last one is honored

- fix linefeed and semicolon in js for focus handling

  1. … 2 more files in changeset.
- add CSP nonce to script tags if nonce value is available

- turn function definition of acs_Focus() into a conditionally defined

body-script

- turn "body_event_handlers" into "window.addEventListener"

  1. … 3 more files in changeset.
- Added support for W3C Content Security Policy(CSP)

* For details about CSP, see https://www.w3.org/TR/CSP/

* New calls:

security::csp::nonce:

Generate a CSP nonce token token

security::csp::require /directive/ /value/:

Add a requirements of a page to the CSP in order to generate

later a tailored policy with the minimal permissions for

this page. For example, the following requirement is

currently added per default to the oacs-master template to

permit style tags and style attribites in the markup.

security::csp::require style-src 'unsafe-inline'

security::csp::render:

Generate a policy from the requirements

* Added Kernel Parameter CSPEnabledP to activate/desctivate CSP

(default on)

- Bump version numbers

acs-tcl to 5.9.1d11

acs-bootstrap-installer to 5.9.1d4

acs-kernel to 5.9.1d17

  1. … 6 more files in changeset.
- add support for W3C Subresource Integrity (SRI)

* For details about SRI, see https://www.w3.org/TR/SRI/

* Added arguments -crossorigin and -integrity

to the following functions

template::add_body_script

template::add_script

template::head::add_javascript

template::head::add_link

template::head::add_script

* Updated blank-master.adp

- some more cleanup:

* remove commented out code

* add missing argument documentation

(template::head::add_javascript)

* document arguments alphabetically

  1. … 3 more files in changeset.
- simplify blank-master (replace per richtext-editor hacks by new plugin interface)

- bump version number to 5.9.1d2

  1. … 1 more file in changeset.
- Use global variables to reduce lock contention on busy sites:

* $::acs::default_database replaces [nsv_get db_default_database .]

* $::acs::known_database_types replaces [nsv_get ad_known_database_types .]

- Cache db_driverkey per-thread (variable ::acs::db_driverkey($dbn))

to reduce high number of locks

  1. … 4 more files in changeset.
- add editor hints to keep spaces/tabs in the furture more consistent

  1. … 750 more files in changeset.
- reset array "error" in case of initial install problems (array conflicts with scalar variable)

- remove trailing .html from doc references (to allow e.g. .adp as well)

  1. … 4 more files in changeset.
- Improve robustness of blank-master: malformed lists in subsite

parameters could render a subsite useless and hard to correct.

Now the validity of lists is checked, errors are written to the

error.log, invalid parameters are ignored.

- added flat list syntax for ThemeCSS specs (easier to read)

- added parameter ThemeJS similar to ThemeCSS (ability to add head and

body scripts)

- added generalized function template::add_script with non-pos

parameter "-section" which might be "head" or "body" to make both

kind of scripts available to ThemeJS

  1. … 11 more files in changeset.
- optional performance boost for site-nodes:

the site-node code contains an optional performance booster,

that speeds up site-node operations froma factor of 2 to

several thousand times. The performance boost ist just

available for the time being for PostgreSQL, XOTcl2 and

NaviServer and is only activated, when these componentes

are available.

- bump version numbers

  1. … 4 more files in changeset.
- improve validity for HTML5

  1. … 1 more file in changeset.

ad_proc reform:

- use nsf::proc for defining ad_procs, when nsf::proc is available

- nsf::proc is part of the environment of XOTcl2 and provides

an efficient, C-implemented argument parser that can replace

the scripted *__arg_parser of OpenACS.

- The benefits are performance and reduced memory consumption.

* Simple functions (where the calling overhead was a large

part of the execution times can become several times faster

(e.g. db_name is 3x faster, cookie handling is 2x faster),

for functions with much db-activities the percentage will

be less.

* The memory consumption (RSS) of a site like OpenACS.org

is reduced by about 15%.

NEW (with nsf::proc)

::ad_get_cookie x: 10.93 microseconds per iteration

::ad_get_cookie ad_session_id: 21.95 microseconds per iteration

::dt_systime: 24.89 microseconds per iteration

::db_name: 8.70 microseconds per iteration

::db_string dbqd.null.g "select version() from dual": 316.66 microseconds per iteration

::ad_convert_to_html "hello world": 102.29 microseconds per iteration

OLD (without nsf::proc)

::ad_get_cookie x: 19.42 microseconds per iteration

::ad_get_cookie ad_session_id: 30.10 microseconds per iteration

::dt_systime: 27.55 microseconds per iteration

::db_name: 32.28 microseconds per iteration

::db_string dbqd.null.g "select version() from dual": 366.69 microseconds per iteration

::ad_convert_to_html "hello world": 160.51 microseconds per iteration

======================================================================

proc mtime cmd {set c 5000

set t [time [list time $cmd $c]];

regexp {^(-?[0-9]+) +} $t _ mS1;

set ms [expr {$mS1*1.0/$c}];

return "[format %6.2f $ms] microseconds per iteration"

}

set tests {

{::ad_get_cookie x} {::ad_get_cookie ad_session_id} {::dt_systime}

{::db_name} {::db_string dbqd.null.g "select version() from dual"}

{::ad_convert_to_html "hello world"}

}

foreach t $tests {append ::_ $t ": " [mtime $t] \n}

set ::_

======================================================================

  1. … 9 more files in changeset.
- provide minimal support for ckeditor4 (via CDN)

- added changes from antonio to pass handling for unknown editor to the master templates

  1. … 2 more files in changeset.
- ensure proper encoding of hrefs

  1. … 13 more files in changeset.
- improve safety of HTML

  1. … 1 more file in changeset.
- provide defaults for Content-Style-Type and Content-Script-Type

  1. … 1 more file in changeset.
- allow upgrade of blank-master.{tcl,adp} via install-from-repository. This files should be free of site-specific customizations

    • -0
    • +39
    ./www/blank-master.adp
    • -0
    • +268
    ./www/blank-master.tcl
  1. … 2 more files in changeset.
Merging back to HEAD branch oacs-5-8 (using tag vg-merge-oacs-5-8-from-20141027).

  1. … 2544 more files in changeset.
- allow to upgrade basic startup files (openacs-4/tcl/*tcl)

to be upgraded via "install from repository" by adding

and after-upgrade callback to bootstrap-installer and

copying the files from there.

- move initialization of nsv_arrays for apm to -init file in acs-tcl

(as suggested by Peter Marklund, but never implemented)

- use double colon prefix rather than "global" statement

to denote global variables

- bump version number to 5.8.1d3

  1. … 2 more files in changeset.
file 0-acs-init.tcl was initially added on branch oacs-5-8.

file zz-postload.tcl was initially added on branch oacs-5-8.

- use $::acs::rootdir rather than [acs_root_dir] or [get_server_root]

  1. … 12 more files in changeset.
- check for tcl version 8.5

- remove obsolete information

- improve independence from local vs. global driver configuration

- get rid of empty_string_p

  1. … 20 more files in changeset.
- get rid of last ad_user_new (deprecated function)

- naviserver compatiblity fix

software.adp is no longer valid as file url but a directory (canonical url)

remove deprecated calls to ad_parameter