Index: openacs-4/packages/acs-tcl/acs-tcl.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/acs-tcl.info,v
diff -u -r1.95.2.42 -r1.95.2.43
--- openacs-4/packages/acs-tcl/acs-tcl.info 3 Mar 2022 18:40:12 -0000 1.95.2.42
+++ openacs-4/packages/acs-tcl/acs-tcl.info 1 Apr 2022 13:54:53 -0000 1.95.2.43
@@ -9,7 +9,7 @@
f
t
-
+
OpenACS
The Kernel Tcl API library.
2021-09-15
@@ -18,7 +18,7 @@
GPL version 2
3
-
+
Index: openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl,v
diff -u -r1.153.2.53 -r1.153.2.54
--- openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl 29 Mar 2022 08:50:53 -0000 1.153.2.53
+++ openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl 1 Apr 2022 13:54:53 -0000 1.153.2.54
@@ -463,6 +463,9 @@
}
ns_setexpires $expireTime
}
+ set mime_type [ns_guesstype $path]
+ ::security::csp::add_static_resource_header -mime_type $mime_type
+
ns_returnfile 200 [ns_guesstype $path] $path
return filter_return
}
Index: openacs-4/packages/acs-tcl/tcl/security-init.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-init.tcl,v
diff -u -r1.6.2.2 -r1.6.2.3
--- openacs-4/packages/acs-tcl/tcl/security-init.tcl 14 Jan 2021 18:18:55 -0000 1.6.2.2
+++ openacs-4/packages/acs-tcl/tcl/security-init.tcl 1 Apr 2022 13:54:53 -0000 1.6.2.3
@@ -1,6 +1,6 @@
ad_library {
- Provides methods for authorizing and identifying ACS
+ Provides methods for authorizing and identifying ACS
(both logged in and not) and tracking their sessions.
@creation-date 16 Feb 2000
@@ -23,7 +23,7 @@
sec_populate_secret_tokens_cache
# These procedures are dynamically defined so that parameter::get
-# does not need to be called directly in the RP.
+# does not need to be called directly in the RP.
proc sec_session_timeout {} "
return \"[parameter::get -package_id [ad_acs_kernel_id] -parameter SessionTimeout -default 1200]\"
"
@@ -37,6 +37,20 @@
"
#
+# Get content security policy rules for static resources from the
+# OpenACS configuration file. The definition can be there like e.g.
+#
+# ns_section ns/server/$server/acs {
+# ...
+# ns_param StaticCSP {
+# image/svg+xml "script-src 'none'"
+# }
+# ...
+# }
+#
+set ::security::csp::static_csp [ns_config "ns/server/[ns_info server]/acs" StaticCSP]
+
+#
# If there is a re-init, make sure the global handler-variables are reset
#
sec_handler_reset
Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -r1.126.2.64 -r1.126.2.65
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 29 Mar 2022 09:25:04 -0000 1.126.2.64
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 1 Apr 2022 13:54:53 -0000 1.126.2.65
@@ -879,7 +879,7 @@
}
ad_proc -private security::cookie_name {plain_name} {
-
+
} {
#
# Setting a cookie always requires a connection.
@@ -3088,6 +3088,26 @@
return $policy
}
+ ad_proc -public ::security::csp::add_static_resource_header {
+ {-mime_type:required}
+ } {
+
+ Set the CSP rule on the current connection for a static
+ resource depending on the MIME type.
+
+ @param mime_type MIME type of the resource to be delivered
+ } {
+ if {![ns_conn isconnected]} {
+ error "Content-Security-Policy headers can be only set for active connections"
+ }
+ if {[dict exists $::security::csp::static_csp $mime_type]} {
+ ns_set iupdate [ns_conn outputheaders] \
+ "Content-Security-Policy" [dict get $::security::csp::static_csp $mime_type]
+ ns_log notice "STATIC $mime_type: Content-Security-Policy [dict get $::security::csp::static_csp $mime_type]"
+ } else {
+ ns_log notice "STATIC $mime_type: no Content-Security-Policy defined for this MIME type"
+ }
+ }
}
#TODO remove me: just for a transition phase