File Changes for galt

v344_base to v345_preview (2017-01-30 to 2017-02-06) v345

• src/hg/cartDump/cartDump.c
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/cirm/cdw/cdwWebBrowse/README_CSP
  • lines changed 16, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/cirm/cdw/cdwWebBrowse/cdwFlowCharts.c
  • lines changed 55, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/cirm/cdw/cdwWebBrowse/cdwNavBar.html
  • lines changed 6, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c
  • lines changed 48, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/cirm/cdw/inc/cdwLib.h
  • lines changed 4, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/encode/hgEncodeSubmit/public/javascripts/controls.js
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/encode/hgEncodeVocab/hgEncodeVocab.c
  • lines changed 2, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgApi/hgApi.c
  • lines changed 8, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgBlat/hgBlat.c
  • lines changed 7, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgConvert/hgConvert.c
  • lines changed 3, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgCustom/hgCustom.c
  • lines changed 44, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgFileSearch/hgFileSearch.c
  • lines changed 16, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgGateway/hgGateway.c
  • lines changed 19, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgGene/domains.c
  • lines changed 3, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgGenome/mainPage.c
  • lines changed 36, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgHubConnect/hgHubConnect.c
  • lines changed 92, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgIntegrator/hgIntegrator.c
  • lines changed 8, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgLiftOver/hgLiftOver.c
  • lines changed 6, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgLogin/hgLogin.c
  • lines changed 47, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgPcr/hgPcr.c
  • lines changed 16, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgPublicSessions/hgPublicSessions.c
  • lines changed 15, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgSession/hgSession.c
  • lines changed 47, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
  • lines changed 3, context: html, text, full: html, text
    dab575f9c813b6e2d49e403fc438c0fa0f9307d8 Sat Feb 4 22:53:05 2017 -0800
    make sure this js state never overflows.
• src/hg/hgTables/correlate.c
  • lines changed 7, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTables/filterFields.c
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTables/genomeSpace.c
  • lines changed 16, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTables/great.c
  • lines changed 13, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTables/hgTables.c
  • lines changed 7, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTables/hgTables.h
  • lines changed 2, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTables/intersect.c
  • lines changed 24, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTables/mainPage.c
  • lines changed 51, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTrackUi/hgTrackUi.c
  • lines changed 92, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
  • lines changed 3, context: html, text, full: html, text
    f8b16feaacf8742673d634e6584ddd37ca5caa2a Thu Feb 2 14:13:51 2017 -0800
    Fixing missing ajax transfer in hgTracks popup hgTrackUi js. Note this should basically pick up the equivalent of inline event handlers like onclick= stuff.
• src/hg/hgTracks/config.c
  • lines changed 25, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTracks/cytoBandTrack.c
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTracks/extTools.c
  • lines changed 20, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTracks/hgTracks.c
  • lines changed 94, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTracks/imageV2.c
  • lines changed 5, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTracks/menu.c
  • lines changed 7, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgTracks/searchTracks.c
  • lines changed 86, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgUserSuggestion/hgUserSuggestion.c
  • lines changed 31, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgVai/hgVai.c
  • lines changed 33, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgc/bigBedClick.c
  • lines changed 9, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgc/hgc.c
  • lines changed 6, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgc/lowelab.c
  • lines changed 3, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgc/mafClick.c
  • lines changed 3, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgc/pubs.c
  • lines changed 4, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/hgc/wikiTrack.c
  • lines changed 5, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/htdocs/bigImage.html
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/htdocs/goldenPath/help/trackDb/trackDbDoc.js
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/htdocs/inc/globalNavBar.inc
  • lines changed 6, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/inc/hPrint.h
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/inc/hui.h
  • lines changed 6, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/inc/jsHelper.h
  • lines changed 3, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/inc/search.h
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/inc/web.h
  • lines changed 45, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/js/alleles.js
  • lines changed 18, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
  • lines changed 15, context: html, text, full: html, text
    87300988042f9b370f257fddf5a3ae0d21662851 Sat Feb 4 00:12:53 2017 -0800
    Fixes for early warning during ajax callback; fixes for early warning in js. Changed to not only parse to but strip out the CSP header and js-with-nonce leaving cleaner html -- should create fewer "surprises" for existing screen-scraping code.
• src/hg/js/hgGateway.js
  • lines changed 32, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/js/hgTracks.js
  • lines changed 77, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
  • lines changed 20, context: html, text, full: html, text
    f8b16feaacf8742673d634e6584ddd37ca5caa2a Thu Feb 2 14:13:51 2017 -0800
    Fixing missing ajax transfer in hgTracks popup hgTrackUi js. Note this should basically pick up the equivalent of inline event handlers like onclick= stuff.
  • lines changed 63, context: html, text, full: html, text
    1a0fe31189d4bbaeccc42b8f34fe12e876e189d7 Fri Feb 3 10:09:59 2017 -0800
    removing debugging and old CSP1 stuff.
  • lines changed 25, context: html, text, full: html, text
    87300988042f9b370f257fddf5a3ae0d21662851 Sat Feb 4 00:12:53 2017 -0800
    Fixes for early warning during ajax callback; fixes for early warning in js. Changed to not only parse to but strip out the CSP header and js-with-nonce leaving cleaner html -- should create fewer "surprises" for existing screen-scraping code.
• src/hg/js/jquery.contextmenu.js
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/js/jquery.jstore-all-min.js
  • lines changed 56, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/js/jquery.jstore.js
  • lines changed 56, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/js/jquery.plugins.js
  • lines changed 7, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/js/lowetooltip.js
  • lines changed 2, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/js/subCfg.js
  • lines changed 5, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
  • lines changed 20, context: html, text, full: html, text
    97e8b7ff52a2f4fb0b62d7015aab593346bc3a65 Fri Feb 3 11:48:36 2017 -0800
    stripJsEmbedded is probably obsolete.
  • lines changed 20, context: html, text, full: html, text
    87300988042f9b370f257fddf5a3ae0d21662851 Sat Feb 4 00:12:53 2017 -0800
    Fixes for early warning during ajax callback; fixes for early warning in js. Changed to not only parse to but strip out the CSP header and js-with-nonce leaving cleaner html -- should create fewer "surprises" for existing screen-scraping code.
• src/hg/js/utils.js
  • lines changed 165, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
  • lines changed 1, context: html, text, full: html, text
    1a0fe31189d4bbaeccc42b8f34fe12e876e189d7 Fri Feb 3 10:09:59 2017 -0800
    removing debugging and old CSP1 stuff.
  • lines changed 16, context: html, text, full: html, text
    97e8b7ff52a2f4fb0b62d7015aab593346bc3a65 Fri Feb 3 11:48:36 2017 -0800
    stripJsEmbedded is probably obsolete.
  • lines changed 85, context: html, text, full: html, text
    87300988042f9b370f257fddf5a3ae0d21662851 Sat Feb 4 00:12:53 2017 -0800
    Fixes for early warning during ajax callback; fixes for early warning in js. Changed to not only parse to but strip out the CSP header and js-with-nonce leaving cleaner html -- should create fewer "surprises" for existing screen-scraping code.
• src/hg/lib/cart.c
  • lines changed 5, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
  • lines changed 1, context: html, text, full: html, text
    87300988042f9b370f257fddf5a3ae0d21662851 Sat Feb 4 00:12:53 2017 -0800
    Fixes for early warning during ajax callback; fixes for early warning in js. Changed to not only parse to but strip out the CSP header and js-with-nonce leaving cleaner html -- should create fewer "surprises" for existing screen-scraping code.
• src/hg/lib/fileUi.c
  • lines changed 11, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/gbHeader.h
  • lines changed 1, context: html, text, full: html, text
    cfb1153618c1c3f959f2ffb551ad26d81ca3dfc8 Mon Jan 30 16:32:44 2017 -0800
    oops fix CSP header inclusion, merge was a bit wonky.
  • lines changed 1, context: html, text, full: html, text
    dd1493178c354ea7170cd68c79d7d0a163768ed5 Mon Jan 30 16:37:38 2017 -0800
    getting rid of unneeded newline
• src/hg/lib/googleAnalytics.c
  • lines changed 4, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/gtexUi.c
  • lines changed 6, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/hCommon.c
  • lines changed 2, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/hPrint.c
  • lines changed 2, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/haplotypes.c
  • lines changed 49, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/hui.c
  • lines changed 274, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/jWestBanner.html
  • lines changed 2, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/jWestHeader.html
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/jsHelper.c
  • lines changed 72, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/pal.c
  • lines changed 3, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/search.c
  • lines changed 30, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/snakeUi.c
  • lines changed 1, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/tablesTables.c
  • lines changed 18, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/lib/web.c
  • lines changed 66, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
  • lines changed 2, context: html, text, full: html, text
    cfb1153618c1c3f959f2ffb551ad26d81ca3dfc8 Mon Jan 30 16:32:44 2017 -0800
    oops fix CSP header inclusion, merge was a bit wonky.
• src/hg/near/hgNear/hgNear.c
  • lines changed 19, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/near/hgNear/userSettings.c
  • lines changed 3, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/protein/lib/domains.c
  • lines changed 3, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/qaPushQ/qaPushQ.c
  • lines changed 8, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/hg/visiGene/hgVisiGene/hgVisiGene.c
  • lines changed 17, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/inc/cheapcgi.h
  • lines changed 41, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/inc/htmshell.h
  • lines changed 9, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/lib/cheapcgi.c
  • lines changed 334, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
• src/lib/htmshell.c
  • lines changed 260, context: html, text, full: html, text
    a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800
    Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
  • lines changed 1, context: html, text, full: html, text
    f8b16feaacf8742673d634e6584ddd37ca5caa2a Thu Feb 2 14:13:51 2017 -0800
    Fixing missing ajax transfer in hgTracks popup hgTrackUi js. Note this should basically pick up the equivalent of inline event handlers like onclick= stuff.
  • lines changed 22, context: html, text, full: html, text
    39c1c15163cf86529fdcb102535f639da0bd89f5 Sun Feb 5 00:04:41 2017 -0800
    Dealing with warnings messages that overflow the 1024 limit buffer. Fullsize warning message still appears in the error log.