• last updated 3 hours ago
Constraints: committers
Constraints: files
Constraints: dates
remove useless semicolon

provde a global variable as transitional code for controlling passing of password as query variable

  1. … 2 more files in changeset.
don't pass sensitive information (e.g. password) as query variable, but use client properties instead.

see also issue #3344

  1. … 5 more files in changeset.
moved "populate_secrect" to "sec_*" prefix to reduce clobbering of global namespace

  1. … 6 more files in changeset.
addres kernel_id always via variable rathen than via method

backport security patch from oacs-5-10

  1. … 1 more file in changeset.
add IPv6 loopback address as well as "always accepted" for web testing

allow always in logindata as valid peer

don't trust login_cookie, when no session_cookie is provided

improve cross references in apidoc

  1. … 1 more file in changeset.
improve spelling

  1. … 1 more file in changeset.
improve spelling

  1. … 15 more files in changeset.
use the random number generator from OpenSSL, when available

  1. … 1 more file in changeset.
make debugging line more meaningful

Delete unneeded line

improve protection against attacked cookies

CSP: allow frame-ancestors

CSP: add default rules for form-action and frame-ancestors

improve spelling

  1. … 14 more files in changeset.
improve spelling

  1. … 6 more files in changeset.
CSP: add connect-src default rule

keep chain on session_ids in case the sessions change

- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see


This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

  1. … 2 more files in changeset.
activate warnings in case the old IE bug is still around

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

  1. … 4 more files in changeset.
ad_sign: new optional parameter "user_binding"

The parameter user_binding allows to bind a signature to a user.

When the value is "-1" only the user who created the signature can

obtain the value again. A value of 0 (default) means no user binding.

The permissible values might be extended in the future.

bump version number to 5.10.0d24

  1. … 2 more files in changeset.
improve comments, make function private to avoid confusions

switch from security::nonce_token to ::security::csp::nonce and update comments

replace broken redirect with standard redirect function (auth::require_login)

no need for eagerly releasing handles