a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/inc/htmshell.h src/inc/htmshell.h index f55e6fc..120272c 100644 --- src/inc/htmshell.h +++ src/inc/htmshell.h @@ -75,30 +75,39 @@ void attributeDecode(char *s); /* For html tag attribute values decode html entities &#xHH; */ void cssDecode(char *s); /* For CSS values decode "\HH " */ void jsDecode(char *s); /* For JS string values decode "\xHH" */ void urlDecode(char *s); /* For URL paramter values decode "%HH" */ void htmlMemDeath(); /* Complain about lack of memory and abort. */ +char *getNonce(); +/* make nonce one-use-per-page */ + +char *getCspMetaHeader(); +/* return meta CSP header string */ + +void generateCspMetaHeader(FILE *f); +/* Generate Meta CSP Header */ + void htmlStart(char *title); /* Write the start of a cgi-generated html file */ void htmStart(FILE *f, char *title); /* Write the start of a stand alone .html file. */ void printBodyTag(FILE *f); // print starting BODY tag, including any appropriate attributes (class, background and bgcolor). void htmStartWithHead(FILE *f, char *head, char *title); /* Write the start of a stand alone .html file, plus head info */ void htmStartDirDepth(FILE *f, char *title, int dirDepth); /* Write the start of a stand alone .html file. dirDepth is the number of levels * beneath apache root that caller's HTML will appear to the web client.