diff options
author | Jelle van der Waa <jelle@vdwaa.nl> | 2019-01-29 16:42:54 +0100 |
---|---|---|
committer | Jelle van der Waa <jelle@archlinux.org> | 2019-02-18 16:42:51 +0100 |
commit | 3525458926dfa47e6c7bcedb4304cc243e78d47a (patch) | |
tree | 413b8c898c71fd6a07c797193768eaaf0071e80a /templates | |
parent | 6b22bedd82ae69a54f15c2f5f64f9f3945e5fb43 (diff) | |
download | archweb-3525458926dfa47e6c7bcedb4304cc243e78d47a.tar.gz archweb-3525458926dfa47e6c7bcedb4304cc243e78d47a.zip |
Implement CSP for archweb
Add django-csp as dependency to be able to set CSP inside django's
settings and allow setting a CSP_NONCE for inline <script>'s in
templates. Since archweb heavily uses this pattern it's the best
compromise.
Diffstat (limited to 'templates')
-rw-r--r-- | templates/devel/clock.html | 2 | ||||
-rw-r--r-- | templates/devel/index.html | 2 | ||||
-rw-r--r-- | templates/devel/packages.html | 2 | ||||
-rw-r--r-- | templates/devel/profile.html | 2 | ||||
-rw-r--r-- | templates/mirrors/mirror_details.html | 2 | ||||
-rw-r--r-- | templates/mirrors/mirrors.html | 2 | ||||
-rw-r--r-- | templates/mirrors/status.html | 2 | ||||
-rw-r--r-- | templates/mirrors/url_details.html | 2 | ||||
-rw-r--r-- | templates/news/add.html | 2 | ||||
-rw-r--r-- | templates/packages/details.html | 2 | ||||
-rw-r--r-- | templates/packages/differences.html | 2 | ||||
-rw-r--r-- | templates/packages/groups.html | 2 | ||||
-rw-r--r-- | templates/packages/packages_list.html | 2 | ||||
-rw-r--r-- | templates/packages/signoffs.html | 2 | ||||
-rw-r--r-- | templates/packages/stale_relations.html | 2 | ||||
-rw-r--r-- | templates/public/keys.html | 2 | ||||
-rw-r--r-- | templates/registration/login.html | 2 | ||||
-rw-r--r-- | templates/releng/release_list.html | 2 | ||||
-rw-r--r-- | templates/todolists/list.html | 2 | ||||
-rw-r--r-- | templates/todolists/view.html | 2 | ||||
-rw-r--r-- | templates/visualize/index.html | 2 |
21 files changed, 21 insertions, 21 deletions
diff --git a/templates/devel/clock.html b/templates/devel/clock.html index 2c5bfacf..88cc93e7 100644 --- a/templates/devel/clock.html +++ b/templates/devel/clock.html @@ -61,7 +61,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $("#clocks-table:has(tbody tr)").tablesorter({ widgets: ['zebra'], diff --git a/templates/devel/index.html b/templates/devel/index.html index dfe1d1fa..4f788d6d 100644 --- a/templates/devel/index.html +++ b/templates/devel/index.html @@ -167,7 +167,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $("#stats-message").html('Loading developer stats…'); $("#stats-area").load('stats/', function(response, status, xhr) { diff --git a/templates/devel/packages.html b/templates/devel/packages.html index c75f81eb..762fc6f0 100644 --- a/templates/devel/packages.html +++ b/templates/devel/packages.html @@ -78,7 +78,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({widgets: ['zebra']}); }); diff --git a/templates/devel/profile.html b/templates/devel/profile.html index acdc22a9..50bb33dd 100644 --- a/templates/devel/profile.html +++ b/templates/devel/profile.html @@ -29,7 +29,7 @@ {% block script_block %} {% load cdn %}{% jquery %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> modify_attributes({ '#id_email': {type: 'email'}, '#id_alias': {autocorrect: 'off', autocapitalize: 'off'}, diff --git a/templates/mirrors/mirror_details.html b/templates/mirrors/mirror_details.html index 0c0d5559..05a4b0da 100644 --- a/templates/mirrors/mirror_details.html +++ b/templates/mirrors/mirror_details.html @@ -115,7 +115,7 @@ <script type="text/javascript" src="{% static "d3-3.0.6.min.js" %}"></script> <script type="text/javascript" src="{% static "archweb.js" %}"></script> <script type="text/javascript" src="{% static "mirror_status.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $("#available_urls:has(tbody tr)").tablesorter( {widgets: ['zebra'], sortList: [[1,0], [2,0]], diff --git a/templates/mirrors/mirrors.html b/templates/mirrors/mirrors.html index 7da11268..55eb0f8c 100644 --- a/templates/mirrors/mirrors.html +++ b/templates/mirrors/mirrors.html @@ -47,7 +47,7 @@ </div> {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({widgets: ['zebra'], sortList: [[2,0], [0,0]]}); }); diff --git a/templates/mirrors/status.html b/templates/mirrors/status.html index 39d68460..fb318480 100644 --- a/templates/mirrors/status.html +++ b/templates/mirrors/status.html @@ -77,7 +77,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { var headers = { 4: { sorter: 'duration' }, 5: { sorter: 'mostlydigit' }, 6: { sorter: 'mostlydigit' }, 7: { sorter: 'mostlydigit' }, diff --git a/templates/mirrors/url_details.html b/templates/mirrors/url_details.html index 2454eda4..6e64b08c 100644 --- a/templates/mirrors/url_details.html +++ b/templates/mirrors/url_details.html @@ -64,7 +64,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $("#check_logs:has(tbody tr)").tablesorter( {widgets: ['zebra'], sortList: [[0,1]], diff --git a/templates/news/add.html b/templates/news/add.html index 51094659..f171b503 100644 --- a/templates/news/add.html +++ b/templates/news/add.html @@ -35,7 +35,7 @@ </div> {% load cdn %}{% jquery %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(enablePreview); </script> {% endblock %} diff --git a/templates/packages/details.html b/templates/packages/details.html index 2851abd6..768ce43f 100644 --- a/templates/packages/details.html +++ b/templates/packages/details.html @@ -11,7 +11,7 @@ {% block script_block %} {% load cdn %}{% jquery %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce="{{ CSP_NONCE }}"> $(document).ready(function() { ajaxifyFiles(); collapseDependsList("#pkgdepslist"); diff --git a/templates/packages/differences.html b/templates/packages/differences.html index 30750798..c650c6e8 100644 --- a/templates/packages/differences.html +++ b/templates/packages/differences.html @@ -42,7 +42,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $('#table_multilib_differences').tablesorter({widgets: ['zebra'], sortList: [[5, 0]]}); }); diff --git a/templates/packages/groups.html b/templates/packages/groups.html index c135791f..9f9fef35 100644 --- a/templates/packages/groups.html +++ b/templates/packages/groups.html @@ -34,7 +34,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({widgets: ['zebra'], sortList: [[1,0], [0,0]]}); }); diff --git a/templates/packages/packages_list.html b/templates/packages/packages_list.html index 3dcc03dc..72311235 100644 --- a/templates/packages/packages_list.html +++ b/templates/packages/packages_list.html @@ -45,7 +45,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({widgets: ['zebra'], sortList: [[2,0]]}); }); diff --git a/templates/packages/signoffs.html b/templates/packages/signoffs.html index 9f6437c2..e2214845 100644 --- a/templates/packages/signoffs.html +++ b/templates/packages/signoffs.html @@ -82,7 +82,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $('.results').tablesorter({widgets: ['zebra'], sortList: [[0,0]], headers: { 5: { sorter: 'epochdate' }, 7: { sorter: false }, 8: {sorter: false } } }); diff --git a/templates/packages/stale_relations.html b/templates/packages/stale_relations.html index 218ddb3e..8aec424d 100644 --- a/templates/packages/stale_relations.html +++ b/templates/packages/stale_relations.html @@ -114,7 +114,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $('#inactive-user:not(:has(tbody tr.empty))').tablesorter({widgets: ['zebra'], headers: { 0: { sorter: false }, 2: { sorter: false } }, sortList: [[1,0]]}); $('#missing-pkgbase:not(:has(tbody tr.empty))').tablesorter({widgets: ['zebra'], headers: { 0: { sorter: false } }, sortList: [[1,0]]}); diff --git a/templates/public/keys.html b/templates/public/keys.html index 37d5b232..978abaab 100644 --- a/templates/public/keys.html +++ b/templates/public/keys.html @@ -139,7 +139,7 @@ <script type="text/javascript" src="{% static "d3-3.0.6.min.js" %}"></script> <script type="text/javascript" src="{% static "archweb.js" %}"></script> <script type="text/javascript" src="{% static "visualize.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $("#key-status").tablesorter({ sortLocaleCompare: true, diff --git a/templates/registration/login.html b/templates/registration/login.html index b5894319..f9acbe99 100644 --- a/templates/registration/login.html +++ b/templates/registration/login.html @@ -20,7 +20,7 @@ {% block script_block %} {% load cdn %}{% jquery %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> modify_attributes({ '#id_username': {autocorrect: 'off', autocapitalize: 'off'} }); diff --git a/templates/releng/release_list.html b/templates/releng/release_list.html index bca30042..44d94f14 100644 --- a/templates/releng/release_list.html +++ b/templates/releng/release_list.html @@ -57,7 +57,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({ widgets: ['zebra'], diff --git a/templates/todolists/list.html b/templates/todolists/list.html index 04676812..042ff602 100644 --- a/templates/todolists/list.html +++ b/templates/todolists/list.html @@ -56,7 +56,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { // I'm not sure why it didn't autodetect digit, but it has to be explicit // http://stackoverflow.com/questions/302749/jquery-tablesorter-problem diff --git a/templates/todolists/view.html b/templates/todolists/view.html index 8360533b..b5d69459 100644 --- a/templates/todolists/view.html +++ b/templates/todolists/view.html @@ -112,7 +112,7 @@ {% block script_block %} {% load cdn %}{% jquery %}{% jquery_tablesorter %} <script type="text/javascript" src="{% static "archweb.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { $(".results").tablesorter({ widgets: ['zebra'], diff --git a/templates/visualize/index.html b/templates/visualize/index.html index 446bdebe..5b992ea4 100644 --- a/templates/visualize/index.html +++ b/templates/visualize/index.html @@ -30,7 +30,7 @@ <script type="text/javascript" src="{% static "d3-3.0.6.min.js" %}"></script> <script type="text/javascript" src="{% static "archweb.js" %}"></script> <script type="text/javascript" src="{% static "visualize.js" %}"></script> -<script type="text/javascript"> +<script type="text/javascript" nonce={{ CSP_NONCE }}> $(document).ready(function() { var orderings = { "repo": { url: "{% url 'visualize-byrepo' %}", color_attr: "repo" }, |