• last updated 14 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Standardize spellings of names

  1. … 12 more files in changeset.
Fix spelling errors, use OpenACS

  1. … 4 more files in changeset.
Fix spelling errors

  1. … 13 more files in changeset.
- Tcl idioms: simplify access to first character

  1. … 8 more files in changeset.
Put CSP stuff in the installer page only when required (an error is thrown and we need the back button)

In such case, make the nonce attribute safer by using the proc instead of the (likely missing) variable

  1. … 1 more file in changeset.
Removed inline event handlers to comply with CSP

- improve HTML quoting

- replace onchange handler in installer by event listeners (just for the sake of completeness)

- make sure to call template::head::prepare_multirows after all body_scripts are created

- bump version to 5.9.1d6

  1. … 1 more file in changeset.
- remove unneeded expr statements

  1. … 5 more files in changeset.
bootstrap installer:

- added csp policy to the files upgradeable via apm

- bumped version number to 5.9.1d5

  1. … 3 more files in changeset.
file csp-collector.tcl was initially added on branch oacs-5-9.

    • -0
    • +0
    ./www/SYSTEM/csp-collector.tcl
- use subst instead of doublequotes

-- handle ie 11 (uses a different header field for CSP)

- move CSP generation to the end

  1. … 1 more file in changeset.
- Refine security policies: when necessary, define both a nonce and a

'unsafe-inline' to ensure compatibility on some less adavanced

browsers

- use same "secure" setting for ad_session_id, otherwise, just the

last one is honored

- fix linefeed and semicolon in js for focus handling

  1. … 2 more files in changeset.
- add CSP nonce to script tags if nonce value is available

- turn function definition of acs_Focus() into a conditionally defined

body-script

- turn "body_event_handlers" into "window.addEventListener"

  1. … 3 more files in changeset.
- Added support for W3C Content Security Policy(CSP)

* For details about CSP, see https://www.w3.org/TR/CSP/

* New calls:

security::csp::nonce:

Generate a CSP nonce token token

security::csp::require /directive/ /value/:

Add a requirements of a page to the CSP in order to generate

later a tailored policy with the minimal permissions for

this page. For example, the following requirement is

currently added per default to the oacs-master template to

permit style tags and style attribites in the markup.

security::csp::require style-src 'unsafe-inline'

security::csp::render:

Generate a policy from the requirements

* Added Kernel Parameter CSPEnabledP to activate/desctivate CSP

(default on)

- Bump version numbers

acs-tcl to 5.9.1d11

acs-bootstrap-installer to 5.9.1d4

acs-kernel to 5.9.1d17

  1. … 6 more files in changeset.
- add support for W3C Subresource Integrity (SRI)

* For details about SRI, see https://www.w3.org/TR/SRI/

* Added arguments -crossorigin and -integrity

to the following functions

template::add_body_script

template::add_script

template::head::add_javascript

template::head::add_link

template::head::add_script

* Updated blank-master.adp

- some more cleanup:

* remove commented out code

* add missing argument documentation

(template::head::add_javascript)

* document arguments alphabetically

  1. … 3 more files in changeset.
- simplify blank-master (replace per richtext-editor hacks by new plugin interface)

- bump version number to 5.9.1d2

  1. … 1 more file in changeset.
- Use global variables to reduce lock contention on busy sites:

* $::acs::default_database replaces [nsv_get db_default_database .]

* $::acs::known_database_types replaces [nsv_get ad_known_database_types .]

- Cache db_driverkey per-thread (variable ::acs::db_driverkey($dbn))

to reduce high number of locks

  1. … 4 more files in changeset.
- add editor hints to keep spaces/tabs in the furture more consistent

  1. … 750 more files in changeset.
- reset array "error" in case of initial install problems (array conflicts with scalar variable)

- remove trailing .html from doc references (to allow e.g. .adp as well)

  1. … 4 more files in changeset.
- Improve robustness of blank-master: malformed lists in subsite

parameters could render a subsite useless and hard to correct.

Now the validity of lists is checked, errors are written to the

error.log, invalid parameters are ignored.

- added flat list syntax for ThemeCSS specs (easier to read)

- added parameter ThemeJS similar to ThemeCSS (ability to add head and

body scripts)

- added generalized function template::add_script with non-pos

parameter "-section" which might be "head" or "body" to make both

kind of scripts available to ThemeJS

  1. … 11 more files in changeset.
- optional performance boost for site-nodes:

the site-node code contains an optional performance booster,

that speeds up site-node operations froma factor of 2 to

several thousand times. The performance boost ist just

available for the time being for PostgreSQL, XOTcl2 and

NaviServer and is only activated, when these componentes

are available.

- bump version numbers

  1. … 4 more files in changeset.
- improve validity for HTML5

  1. … 1 more file in changeset.

ad_proc reform:

- use nsf::proc for defining ad_procs, when nsf::proc is available

- nsf::proc is part of the environment of XOTcl2 and provides

an efficient, C-implemented argument parser that can replace

the scripted *__arg_parser of OpenACS.

- The benefits are performance and reduced memory consumption.

* Simple functions (where the calling overhead was a large

part of the execution times can become several times faster

(e.g. db_name is 3x faster, cookie handling is 2x faster),

for functions with much db-activities the percentage will

be less.

* The memory consumption (RSS) of a site like OpenACS.org

is reduced by about 15%.

NEW (with nsf::proc)

::ad_get_cookie x: 10.93 microseconds per iteration

::ad_get_cookie ad_session_id: 21.95 microseconds per iteration

::dt_systime: 24.89 microseconds per iteration

::db_name: 8.70 microseconds per iteration

::db_string dbqd.null.g "select version() from dual": 316.66 microseconds per iteration

::ad_convert_to_html "hello world": 102.29 microseconds per iteration

OLD (without nsf::proc)

::ad_get_cookie x: 19.42 microseconds per iteration

::ad_get_cookie ad_session_id: 30.10 microseconds per iteration

::dt_systime: 27.55 microseconds per iteration

::db_name: 32.28 microseconds per iteration

::db_string dbqd.null.g "select version() from dual": 366.69 microseconds per iteration

::ad_convert_to_html "hello world": 160.51 microseconds per iteration

======================================================================

proc mtime cmd {set c 5000

set t [time [list time $cmd $c]];

regexp {^(-?[0-9]+) +} $t _ mS1;

set ms [expr {$mS1*1.0/$c}];

return "[format %6.2f $ms] microseconds per iteration"

}

set tests {

{::ad_get_cookie x} {::ad_get_cookie ad_session_id} {::dt_systime}

{::db_name} {::db_string dbqd.null.g "select version() from dual"}

{::ad_convert_to_html "hello world"}

}

foreach t $tests {append ::_ $t ": " [mtime $t] \n}

set ::_

======================================================================

  1. … 9 more files in changeset.
- provide minimal support for ckeditor4 (via CDN)

- added changes from antonio to pass handling for unknown editor to the master templates

  1. … 2 more files in changeset.
- ensure proper encoding of hrefs

  1. … 13 more files in changeset.
- improve safety of HTML

  1. … 1 more file in changeset.