4e87977d27175e20f01bb740de6a5c54b0e0bbd6 galt Thu Aug 10 23:00:36 2023 -0700 Updating the CSP policy in python hgLib and hgLib3. refs #31954 diff --git src/hg/pyLib/hgLib3.py src/hg/pyLib/hgLib3.py index 6c28fda..cfe22b0 100644 --- src/hg/pyLib/hgLib3.py +++ src/hg/pyLib/hgLib3.py @@ -696,55 +696,78 @@ # example "default-src 'self'; child-src 'none'; object-src 'none'" policy = "" policy += "default-src *;" ''' # more secure method not used yet policy += "default-src 'self';" policy += " child-src 'self';" ''' policy += " script-src 'self' blob:" # Trick for backwards compatibility with browsers that understand CSP1 but not nonces (CSP2). policy += " 'unsafe-inline'" # For browsers that DO understand nonces and CSP2, they ignore 'unsafe-inline' in script if nonce is present. policy += " " + getNoncePolicy() - policy += " code.jquery.com" # used by hgIntegrator jsHelper and others - policy += " www.google-analytics.com" # used by google analytics + + # used by hgIntegrator jsHelper and others + policy += " code.jquery.com/jquery-1.9.1.min.js" + policy += " code.jquery.com/jquery-1.12.3.min.js" + policy += " code.jquery.com/ui/1.10.3/jquery-ui.min.js" + policy += " code.jquery.com/ui/1.11.0/jquery-ui.min.js" + policy += " code.jquery.com/ui/1.12.1/jquery-ui.js" + + policy += " www.google-analytics.com/analytics.js" # used by google analytics + policy += " www.googletagmanager.com/gtag/js" + #cirm cdw lib and web browse policy += " www.samsarin.com/project/dagre-d3/latest/dagre-d3.js" + + policy += " cdnjs.cloudflare.com/ajax/libs/bowser/1.6.1/bowser.min.js" policy += " cdnjs.cloudflare.com/ajax/libs/d3/3.4.4/d3.min.js" policy += " cdnjs.cloudflare.com/ajax/libs/jquery/1.12.1/jquery.min.js" policy += " cdnjs.cloudflare.com/ajax/libs/jstree/3.2.1/jstree.min.js" - policy += " cdnjs.cloudflare.com/ajax/libs/bowser/1.6.1/bowser.min.js" policy += " cdnjs.cloudflare.com/ajax/libs/jstree/3.3.4/jstree.min.js" + policy += " cdnjs.cloudflare.com/ajax/libs/jstree/3.3.7/jstree.min.js" + policy += " cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" + + policy += " login.persona.org/include.js" # expMatrix - policy += " ajax.googleapis.com/ajax" - policy += " maxcdn.bootstrapcdn.com/bootstrap" + policy += " ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js" + policy += " ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js" + policy += " ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js" + policy += " ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js" + policy += " ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js" + policy += " d3js.org/d3.v3.min.js" # jsHelper - policy += " cdn.datatables.net" + policy += " cdn.datatables.net/1.10.12/js/jquery.dataTables.min.js" # hgGeneGraph - policy += " https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js" - policy += " http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.js" - policy += " http://cdn.rawgit.com/jedfoster/Readmore.js/master/readmore.min.js" - policy += ";" + policy += " maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js" + policy += " maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" + policy += " maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.js" + policy += " maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js" + policy += " maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" + policy += " cdn.rawgit.com/jedfoster/Readmore.js/master/readmore.min.js" + + policy += ";" + policy += " style-src * 'unsafe-inline';" ''' # more secure method not used yet policy += " style-src 'self' 'unsafe-inline'" policy += " code.jquery.com" # used by hgIntegrator policy += " netdna.bootstrapcdn.com" # used by hgIntegrator policy += " fonts.googleapis.com" # used by hgGateway policy += " maxcdn.bootstrapcdn.com" # used by hgGateway policy += ";" ''' # The data: protocol is used by popular browser extensions. # It seems to be safe and it is too bad that it must be explicitly included. policy += " font-src * data:;"