a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/js/utils.js src/hg/js/utils.js index 1664d71..a3f8ffe 100644 --- src/hg/js/utils.js +++ src/hg/js/utils.js @@ -662,57 +662,85 @@ $(button).attr('title', 'Expand this '+titleDesc); contents.hide(); } else { $(button).attr('title', 'Collapse this '+titleDesc); contents.show().trigger('show'); } $(hidden).val(newVal); if (doAjax) { setCartVar(hiddenPrefix+"_"+prefix+"_close", newVal); } retval = false; } return retval; } +function getNonce() +{ // Gets nonce value from page meta header +var content = $("meta[http-equiv='Content-Security-Policy']").attr("content"); +if (!content) + return ""; +// parse nonce like 'nonce-JDPiW8odQkiav4UCeXsa34ElFm7o' +var sectionBegin = "'nonce-"; +var sectionEnd = "'"; +var ix = content.indexOf(sectionBegin); +if (ix < 0) + return ""; +content = content.substring(ix+sectionBegin.length); +ix = content.indexOf(sectionEnd); +if (ix < 0) + return ""; +content = content.substring(0,ix); +return content; +} + function warnBoxJsSetup() { // Sets up warnBox if not already established. This is duplicated from htmshell.c + // alert("warnBoxJsSetup() called"); // DEBUG REMOVE GALT TODO Nonce? var html = ""; html += "
"; html += "
"; + + // GALT TODO either add nonce or move the showWarnBox and hideWarnBox to some universal javascript + // file that is always included. Or consider if we can just dynamically define the functions + // right here inside this function? maybe prepend function names with "window." to (re)define the global functions. + // maybe something like window.showWarnBox = function(){stuff here}; html += ""; $('body').prepend(html); + document.getElementById('warnOK').onclick = function() {hideWarnBox();return false;}; } function warn(msg) { // adds warnings to the warnBox var warnList = normed($('#warnList')); // warnBox contains warnList if (!warnList) { warnBoxJsSetup(); warnList = normed($('#warnList')); } if (!warnList) alert(msg); else { $( warnList ).append('
  • '+msg+'
  • '); if ($.isFunction(showWarnBox)) showWarnBox(); @@ -1414,78 +1442,209 @@ while (cleanHtml.length > 0) { var bounds = bindings.outside('','',cleanHtml); if (bounds.start === -1) break; var warnMsg = bindings.insideOut('

    ','

    ',cleanHtml,bounds.start,bounds.stop); if (warnMsg.length > 0) { warn(warnMsg); if (whatWeDid) whatWeDid.warnMsg = warnMsg; } cleanHtml = cleanHtml.slice(0,bounds.start) + cleanHtml.slice(bounds.stop); } return cleanHtml; } -function stripJsFiles(returnedHtml,debug) +function stripJsFiles(returnedHtml, debug, whatWeDid) { // strips javascript files from html returned by ajax var cleanHtml = returnedHtml; var shlurpPattern=/"; + var lastIx = 0; + var ix = content.indexOf(sectionBegin, lastIx); + if (ix < 0) + return results; + ix += sectionBegin.length; + var ex = content.indexOf(sectionEnd, ix); + if (ex < 0) + return results; + var jsNonce = content.substring(ix,ex); + if (debug) + alert("jsNonce:'"+jsNonce); + results.push(jsNonce); + lastIx = ex; + ex += sectionEnd.length; + return results; +} + +function charsAreHex(s) +// are all the chars found hex? +{ + var hexChars = "01234566789abcdefABCDEF"; + var d = false; + var i = 0; + if (s) { + d = true; + while (i < s.length) { + if (hexChars.indexOf(s.charAt(i++)) < 0) + d = false; + } + } + return d; +} + +function nonAlphaNumericHexDecodeText(s, prefix, postfix) +// For html tag attributes, it decodes non-alphanumeric characters +// with HH hex codes. +// Decoding happens in-place, changing the input string s. +// prefix must not be empty string or null, but postfix can be empty string. +// Because the decoded string is always equal to or shorter than the input string, +// the decoding is just done in-place modifying the input string. +// Accepts upper and lower case values in entities. +// +{ +var d = ""; +var pfxLen = prefix.length; +var postLen = postfix.length; +var i = 0; +if (s) { + while (i < s.length) { + var matched = false; + if (i+pfxLen+postLen+2 <= s.length) { + var pre = s.substr(i, pfxLen).toLowerCase(); + if (pre === prefix) { + var post = s.substr(i+pfxLen+2, postLen).toLowerCase(); + if (post === postfix) { + var hex = s.substr(i+pfxLen, 2); + if (charsAreHex(hex)) { + d = d + String.fromCharCode(parseInt(hex,16)); + i += pfxLen + 2 + postLen; + matched = true; + } + } + } + } + if (!matched) + d = d + s.charAt(i++); + } +} +return d; +} + + +function jsDecode(s) +// For JS string values decode "\xHH" +{ +return nonAlphaNumericHexDecodeText(s, "\\x", ""); +} + + function stripJsEmbedded(returnedHtml, debug, whatWeDid) { // strips embedded javascript from html returned by ajax // NOTE: any warnBox style errors will be put into the warnBox // If whatWeDid !== null, we use it to return info about // what we stripped out and processed (current just warnMsg). var cleanHtml = returnedHtml; + // embedded javascript? while (cleanHtml.length > 0) { - var begPattern = /