a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/lib/web.c src/hg/lib/web.c index 6c29c02..455e911 100644 --- src/hg/lib/web.c +++ src/hg/lib/web.c @@ -21,52 +21,54 @@ #include "search.h" #include "geoMirror.h" #include "trackHub.h" #include "versionInfo.h" #ifndef GBROWSE #include "axtInfo.h" #include "wikiLink.h" #include "googleAnalytics.h" #include "jsHelper.h" #endif /* GBROWSE */ /* flag that tell if the CGI header has already been outputed */ boolean webHeadAlreadyOutputed = FALSE; -/* flag that tell if text CGI header hsa been outputed */ +/* flag that tell if text CGI header has been outputed */ boolean webInTextMode = FALSE; struct hash *includedResourceFiles = NULL; static char *dbCgiName = "db"; static char *orgCgiName = "org"; static char *cladeCgiName = "clade"; static char *extraStyle = NULL; /* globals: a cart and db for use in error handlers. */ static struct cart *errCart = NULL; static char *errDb = NULL; void textVaWarn(char *format, va_list args) { vprintf(format, args); puts("\n"); } void softAbort() { +if (!webInTextMode) + webEnd(); exit(0); } void webPushErrHandlers(void) /* Push warn and abort handler for errAbort(). */ { if (webInTextMode) pushWarnHandler(textVaWarn); else pushWarnHandler(webVaWarn); pushAbortHandler(softAbort); hDumpStackPushAbortHandler(); } void webPushErrHandlersCartDb(struct cart *cart, char *db) @@ -165,87 +167,89 @@ if (withHtmlHeader) { char *newString, *ptr1, *ptr2; char *browserVersion; if (btIE == cgiClientBrowser(&browserVersion, NULL, NULL) && *browserVersion < '8') puts(""); else puts(""); // Strict would be nice since it fixes atleast one IE problem (use of :hover CSS pseudoclass) puts( "" "\n" "
" "\n" ); + generateCspMetaHeader(stdout); printf("\t%s\n", headerText); webPragmasEtc(); printf("\t