a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/js/alleles.js src/hg/js/alleles.js index 0badd1b..c14fb8f 100644 --- src/hg/js/alleles.js +++ src/hg/js/alleles.js @@ -20,50 +20,67 @@ function initSortTable() { // Initialize the sortable table var allelesTable = $('table#alleles.sortable'); if (allelesTable.length === 1) { sortTable.initialize(allelesTable[0],false); sortTable.sortCaseSensitive(true); } } function update(content, status) { // Update the geneAlleles section based upon ajax request hideLoadingImage(this.loadingId); // Do this first + var pageNonce = getNonce(); + + var ajaxNonce = stripNonce(content, false); + + var jsNonce = stripJsNonce(content, ajaxNonce, false);// DEBUG msg with true + var geneAlleles = $('div#' + sectionName); if (geneAlleles.length > 0) { var cleanHtml = content; //cleanHtml = stripJsFiles(cleanHtml,true); // DEBUG msg with true //cleanHtml = stripCssFiles(cleanHtml,true); // DEBUG msg with true //cleanHtml = stripJsEmbedded(cleanHtml,true);// DEBUG msg with true var sectionBegin = "<!-- " + sectionName + " begin -->"; var sectionEnd = "<!-- " + sectionName + " end -->"; var ix = cleanHtml.indexOf(sectionBegin); if (ix > 0) cleanHtml = cleanHtml.substring(ix); ix = cleanHtml.indexOf(sectionEnd); if (ix > 0) cleanHtml = cleanHtml.substring(0,ix + sectionEnd.length); if (cleanHtml.length > 0) { + ajaxUpdates++; $(geneAlleles[0]).html( cleanHtml ); hiliteRemove(); + + // append ajax js blocks with nonce + for (i=0; i<jsNonce.length; ++i) { + var sTag = document.createElement("script"); + sTag.type = "text/javascript"; + sTag.text = jsNonce[i]; + sTag.setAttribute('nonce', pageNonce); // CSP2 Requires + document.head.appendChild(sTag); + } + alleles.initialize(); // Must have prefix, since ajax call } } } function ajaxRequest(data) { // Request an ajax update of this section // Use current url but make sure it is relative var thisUrl = window.location.href; var ix = thisUrl.indexOf("cgi-bin"); if (ix > 0) thisUrl = "../" + thisUrl.substring(ix); $.ajax({ @@ -219,31 +236,31 @@ hiliteSpecial( hiliteId ); } } function hiliteAllDiffs() { // Adds all hilites // Don't even bother if full sequence isn't showing var fullSeq = $('input#'+sectionName+'_fullSeq'); if (fullSeq.length !== 0 && $(fullSeq).val().indexOf('Hide') === -1) return; // DNA view or AA view? var spans; var dnaView = $('input#'+sectionName+'_dnaView'); - if (dnaView && $(dnaView).val().indexOf('DNA') === -1) { + if (dnaView.length !== 0 && $(dnaView).val().indexOf('DNA') === -1) { spans = $('table#alleles').find('TH.seq').find('B'); } else { // AA view spans = $('table#alleles').find('TH.seq').find('span'); } // At this point, hilighting should be identical $(spans).each(function (ix) { var xPx = $(this).position().left; var widthPx = $(this).width(); if (widthPx === 0) widthPx = seqPxPerPos; var div = hiliteAdd(xPx,widthPx); // Can we give it a title and class? var varClass = $( this ).attr("class").split(' '); if (varClass.length > 0) {