From fa9f60bcd995f8de614c804d5bb3a17d17fbae39 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Wed, 25 Dec 2019 12:18:00 +0000
Subject: [PATCH] Console, webapps: CSP improvements i2ptunnel, susidns: Add
 headers.jsi Console: Remove onload and use nonce for inline scripts where
 able Version remaining js links

---
 .../org/klomp/snark/web/I2PSnarkServlet.java  |  2 +-
 apps/i2ptunnel/jsp/edit.jsp                   |  2 +-
 apps/i2ptunnel/jsp/headers.jsi                | 15 ++++++++++++++
 apps/i2ptunnel/jsp/index.jsp                  | 15 +-------------
 apps/i2ptunnel/jsp/register.jsp               | 11 +---------
 apps/i2ptunnel/jsp/ssl.jsp                    | 11 +---------
 apps/i2ptunnel/jsp/wizard.jsp                 | 15 +-------------
 .../src/net/i2p/servlet/ErrorServlet.java     |  3 ++-
 apps/routerconsole/jsp/certs.jsp              |  3 +--
 apps/routerconsole/jsp/config.jsp             |  6 +-----
 apps/routerconsole/jsp/configadvanced.jsp     |  6 +-----
 apps/routerconsole/jsp/configclients.jsp      |  7 ++-----
 apps/routerconsole/jsp/configfamily.jsp       |  6 +-----
 apps/routerconsole/jsp/confighome.jsp         |  5 +----
 apps/routerconsole/jsp/configi2cp.jsp         |  6 +-----
 apps/routerconsole/jsp/configkeyring.jsp      |  5 +----
 apps/routerconsole/jsp/configlogging.jsp      |  5 +----
 apps/routerconsole/jsp/confignet.jsp          |  6 +-----
 apps/routerconsole/jsp/configpeer.jsp         |  3 +--
 apps/routerconsole/jsp/configplugins.jsp      |  6 +-----
 apps/routerconsole/jsp/configreseed.jsp       |  6 +-----
 apps/routerconsole/jsp/configservice.jsp      |  5 +----
 apps/routerconsole/jsp/configsidebar.jsp      |  5 +----
 apps/routerconsole/jsp/configstats.jsp        |  5 ++---
 apps/routerconsole/jsp/configtunnels.jsp      |  6 +-----
 apps/routerconsole/jsp/configui.jsp           |  6 +-----
 apps/routerconsole/jsp/configupdate.jsp       |  5 +----
 apps/routerconsole/jsp/configwebapps.jsp      |  6 +-----
 apps/routerconsole/jsp/console.jsp            |  6 +-----
 apps/routerconsole/jsp/csp-unsafe.jsi         |  4 ++++
 apps/routerconsole/jsp/css.jsi                |  6 +++++-
 apps/routerconsole/jsp/debug.jsp              |  3 +--
 apps/routerconsole/jsp/dns.jsp                | 11 ++++------
 apps/routerconsole/jsp/error.jsp              |  3 +--
 apps/routerconsole/jsp/events.jsp             |  4 +---
 apps/routerconsole/jsp/graph.jsp              |  4 +---
 apps/routerconsole/jsp/graphs.jsp             |  4 +---
 apps/routerconsole/jsp/help.jsp               |  3 +--
 apps/routerconsole/jsp/home.jsp               |  3 +--
 apps/routerconsole/jsp/i2ptunnelmgr.jsp       |  9 ++++-----
 apps/routerconsole/jsp/jars.jsp               |  4 +---
 apps/routerconsole/jsp/jobs.jsp               |  4 +---
 apps/routerconsole/jsp/logs.jsp               |  4 +---
 apps/routerconsole/jsp/netdb.jsp              |  4 +---
 apps/routerconsole/jsp/news.jsp               |  4 +---
 apps/routerconsole/jsp/nowebapp.jsp           |  3 +--
 apps/routerconsole/jsp/oldconsole.jsp         |  3 +--
 apps/routerconsole/jsp/peers.jsp              |  4 +---
 apps/routerconsole/jsp/profiles.jsp           |  4 +---
 apps/routerconsole/jsp/proof.jsp              |  4 +---
 apps/routerconsole/jsp/stats.jsp              |  4 +---
 apps/routerconsole/jsp/summaryajax.jsi        |  4 +++-
 apps/routerconsole/jsp/torrents.jsp           | 11 ++++------
 apps/routerconsole/jsp/tunnels.jsp            |  4 +---
 apps/routerconsole/jsp/viewprofile.jsp        |  4 +---
 apps/routerconsole/jsp/webmail.jsp            | 11 ++++------
 apps/routerconsole/jsp/welcome.jsp            | 20 +++++--------------
 apps/susidns/src/jsp/addressbook.jsp          |  4 ++--
 apps/susidns/src/jsp/config.jsp               | 13 +-----------
 apps/susidns/src/jsp/details.jsp              | 13 +-----------
 apps/susidns/src/jsp/headers.jsi              | 12 +++++++++++
 apps/susidns/src/jsp/index.jsp                |  2 +-
 apps/susidns/src/jsp/subscriptions.jsp        | 13 +-----------
 .../src/src/i2p/susi/webmail/WebMail.java     |  2 +-
 64 files changed, 118 insertions(+), 279 deletions(-)
 create mode 100644 apps/i2ptunnel/jsp/headers.jsi
 create mode 100644 apps/routerconsole/jsp/csp-unsafe.jsi
 create mode 100644 apps/susidns/src/jsp/headers.jsi

diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 9dc2b6658..6ed333882 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -414,7 +414,7 @@ public class I2PSnarkServlet extends BasicServlet {
         resp.setContentType("text/html; charset=UTF-8");
         // "no-store, max-age=0" forces all our images to be reloaded on ajax refresh
         resp.setHeader("Cache-Control", "max-age=86400, no-cache, must-revalidate");
-        resp.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
+        resp.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'");
         resp.setDateHeader("Expires", 86400);
         resp.setHeader("Pragma", "no-cache");
         resp.setHeader("X-Frame-Options", "SAMEORIGIN");
diff --git a/apps/i2ptunnel/jsp/edit.jsp b/apps/i2ptunnel/jsp/edit.jsp
index e92b2ff56..3b341cc3c 100644
--- a/apps/i2ptunnel/jsp/edit.jsp
+++ b/apps/i2ptunnel/jsp/edit.jsp
@@ -3,7 +3,7 @@
 
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
     // edit pages need script for the delete button 'are you sure'
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
     response.setHeader("X-Content-Type-Options", "nosniff");
     response.setHeader("Referrer-Policy", "no-referrer");
diff --git a/apps/i2ptunnel/jsp/headers.jsi b/apps/i2ptunnel/jsp/headers.jsi
new file mode 100644
index 000000000..1ce03c28f
--- /dev/null
+++ b/apps/i2ptunnel/jsp/headers.jsi
@@ -0,0 +1,15 @@
+<%
+    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
+
+    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
+    if (request.getCharacterEncoding() == null)
+        request.setCharacterEncoding("UTF-8");
+
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'none'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
+    response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
+    response.setHeader("Referrer-Policy", "no-referrer");
+    response.setHeader("Accept-Ranges", "none");
+
+%>
diff --git a/apps/i2ptunnel/jsp/index.jsp b/apps/i2ptunnel/jsp/index.jsp
index 5e98a0a49..c00741d6a 100644
--- a/apps/i2ptunnel/jsp/index.jsp
+++ b/apps/i2ptunnel/jsp/index.jsp
@@ -1,17 +1,4 @@
-<%
-    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
-
-    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
-    if (request.getCharacterEncoding() == null)
-        request.setCharacterEncoding("UTF-8");
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
+<%@include file="headers.jsi"
 %><%@page pageEncoding="UTF-8"
 %><%@page trimDirectiveWhitespaces="true"
 %><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.IndexBean"
diff --git a/apps/i2ptunnel/jsp/register.jsp b/apps/i2ptunnel/jsp/register.jsp
index 91bcf7b78..57fa92512 100644
--- a/apps/i2ptunnel/jsp/register.jsp
+++ b/apps/i2ptunnel/jsp/register.jsp
@@ -1,13 +1,4 @@
-<%
-    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
+<%@include file="headers.jsi"
 %><%@page pageEncoding="UTF-8"
 %><%@page contentType="text/html" import="java.io.InputStream,net.i2p.i2ptunnel.web.EditBean,net.i2p.servlet.RequestWrapper,net.i2p.client.I2PSessionException,net.i2p.client.naming.HostTxtEntry,net.i2p.data.PrivateKeyFile,net.i2p.data.SigningPrivateKey,net.i2p.util.OrderedProperties"
 %><%@page
diff --git a/apps/i2ptunnel/jsp/ssl.jsp b/apps/i2ptunnel/jsp/ssl.jsp
index c2427d867..f285eaab8 100644
--- a/apps/i2ptunnel/jsp/ssl.jsp
+++ b/apps/i2ptunnel/jsp/ssl.jsp
@@ -1,13 +1,4 @@
-<%
-    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
+<%@include file="headers.jsi"
 %><%@page pageEncoding="UTF-8"
 %><%@page contentType="text/html" import="java.io.File,java.io.IOException,net.i2p.crypto.KeyStoreUtil,net.i2p.data.DataHelper,net.i2p.jetty.JettyXmlConfigurationParser"
 %><%@page
diff --git a/apps/i2ptunnel/jsp/wizard.jsp b/apps/i2ptunnel/jsp/wizard.jsp
index b02bd4694..d919698b3 100644
--- a/apps/i2ptunnel/jsp/wizard.jsp
+++ b/apps/i2ptunnel/jsp/wizard.jsp
@@ -1,17 +1,4 @@
-<%
-    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
-
-    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
-    if (request.getCharacterEncoding() == null)
-        request.setCharacterEncoding("UTF-8");
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
+<%@include file="headers.jsi"
 %><%@page pageEncoding="UTF-8"
 %><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
 %><?xml version="1.0" encoding="UTF-8"?>
diff --git a/apps/jetty/java/src/net/i2p/servlet/ErrorServlet.java b/apps/jetty/java/src/net/i2p/servlet/ErrorServlet.java
index fb4922721..aa0ce5704 100644
--- a/apps/jetty/java/src/net/i2p/servlet/ErrorServlet.java
+++ b/apps/jetty/java/src/net/i2p/servlet/ErrorServlet.java
@@ -90,7 +90,7 @@ public class ErrorServlet extends HttpServlet {
         resp.setDateHeader("Expires", 0);
         resp.setHeader("Cache-Control", "no-store, max-age=0, no-cache, must-revalidate");
         resp.setHeader("Pragma", "no-cache");
-        resp.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'none'");
+        resp.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'none'; form-action 'none'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
         Integer ERROR_CODE = (Integer) req.getAttribute("javax.servlet.error.status_code");
         String ERROR_URI = (String) req.getAttribute("javax.servlet.error.request_uri");
         String ERROR_MESSAGE = (String) req.getAttribute("javax.servlet.error.message");
@@ -114,6 +114,7 @@ public class ErrorServlet extends HttpServlet {
              ERROR_URI.endsWith(".ico") ||
              ERROR_URI.endsWith(".svg") ||
              ERROR_URI.endsWith(".txt") ||
+             ERROR_URI.endsWith(".js") ||
              ERROR_URI.endsWith(".css"))) {
             // keep it simple
             resp.setContentType("text/plain");
diff --git a/apps/routerconsole/jsp/certs.jsp b/apps/routerconsole/jsp/certs.jsp
index c7658af96..0f19f0979 100644
--- a/apps/routerconsole/jsp/certs.jsp
+++ b/apps/routerconsole/jsp/certs.jsp
@@ -5,9 +5,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("Certificates")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %><h1><%=intl._t("Certificates")%></h1>
 <div class="main" id="certs">
 <jsp:useBean class="net.i2p.router.web.helpers.CertHelper" id="certhelper" scope="request" />
diff --git a/apps/routerconsole/jsp/config.jsp b/apps/routerconsole/jsp/config.jsp
index 3006fa49c..099c95d09 100644
--- a/apps/routerconsole/jsp/config.jsp
+++ b/apps/routerconsole/jsp/config.jsp
@@ -2,16 +2,12 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("configure bandwidth")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigNetHelper" id="nethelper" scope="request" />
 <jsp:setProperty name="nethelper" property="contextId" value="<%=i2pcontextId%>" />
 <h1><%=intl._t("I2P Bandwidth Configuration")%></h1>
diff --git a/apps/routerconsole/jsp/configadvanced.jsp b/apps/routerconsole/jsp/configadvanced.jsp
index 16c28c565..0ebf056ab 100644
--- a/apps/routerconsole/jsp/configadvanced.jsp
+++ b/apps/routerconsole/jsp/configadvanced.jsp
@@ -2,16 +2,12 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config advanced")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigAdvancedHelper" id="advancedhelper" scope="request" />
 <jsp:setProperty name="advancedhelper" property="contextId" value="<%=i2pcontextId%>" />
 
diff --git a/apps/routerconsole/jsp/configclients.jsp b/apps/routerconsole/jsp/configclients.jsp
index 45b44a60a..ace704112 100644
--- a/apps/routerconsole/jsp/configclients.jsp
+++ b/apps/routerconsole/jsp/configclients.jsp
@@ -1,9 +1,9 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("config clients")%>
 <style type='text/css'>
 button span.hide{
@@ -11,12 +11,9 @@ button span.hide{
 }
 input.default { width: 1px; height: 1px; visibility: hidden; }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigClientsHelper" id="clientshelper" scope="request" />
 <jsp:setProperty name="clientshelper" property="contextId" value="<%=i2pcontextId%>" />
 <jsp:setProperty name="clientshelper" property="edit" value="<%=request.getParameter(\"edit\")%>" />
diff --git a/apps/routerconsole/jsp/configfamily.jsp b/apps/routerconsole/jsp/configfamily.jsp
index 46b683a52..e6200e3f9 100644
--- a/apps/routerconsole/jsp/configfamily.jsp
+++ b/apps/routerconsole/jsp/configfamily.jsp
@@ -1,16 +1,12 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config router family")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigFamilyHelper" id="familyHelper" scope="request" />
 <jsp:setProperty name="familyHelper" property="contextId" value="<%=i2pcontextId%>" />
 <h1><%=intl._t("I2P Router Family Configuration")%></h1>
diff --git a/apps/routerconsole/jsp/confighome.jsp b/apps/routerconsole/jsp/confighome.jsp
index a621e307d..9b91ba5d6 100644
--- a/apps/routerconsole/jsp/confighome.jsp
+++ b/apps/routerconsole/jsp/confighome.jsp
@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config home")%>
@@ -12,10 +11,8 @@ input.default {
     visibility: hidden;
 }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Home Page Configuration")%></h1>
 <div class="main" id="config_homepage">
diff --git a/apps/routerconsole/jsp/configi2cp.jsp b/apps/routerconsole/jsp/configi2cp.jsp
index 29eba95fb..cab3dfa0f 100644
--- a/apps/routerconsole/jsp/configi2cp.jsp
+++ b/apps/routerconsole/jsp/configi2cp.jsp
@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config clients")%>
@@ -11,12 +10,9 @@ button span.hide{
 }
 input.default { width: 1px; height: 1px; visibility: hidden; }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigClientsHelper" id="clientshelper" scope="request" />
 <jsp:setProperty name="clientshelper" property="contextId" value="<%=i2pcontextId%>" />
 <jsp:setProperty name="clientshelper" property="edit" value="<%=request.getParameter(\"edit\")%>" />
diff --git a/apps/routerconsole/jsp/configkeyring.jsp b/apps/routerconsole/jsp/configkeyring.jsp
index 903c3acf2..b80007781 100644
--- a/apps/routerconsole/jsp/configkeyring.jsp
+++ b/apps/routerconsole/jsp/configkeyring.jsp
@@ -1,14 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config keyring")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Keyring Configuration")%></h1>
 <div class="main" id="config_keyring">
diff --git a/apps/routerconsole/jsp/configlogging.jsp b/apps/routerconsole/jsp/configlogging.jsp
index c374032d2..906abb6fb 100644
--- a/apps/routerconsole/jsp/configlogging.jsp
+++ b/apps/routerconsole/jsp/configlogging.jsp
@@ -2,16 +2,13 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config logging")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigLoggingHelper" id="logginghelper" scope="request" />
 <jsp:setProperty name="logginghelper" property="contextId" value="<%=i2pcontextId%>" />
-
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Logging Configuration")%></h1>
 <div class="main" id="config_logging">
diff --git a/apps/routerconsole/jsp/confignet.jsp b/apps/routerconsole/jsp/confignet.jsp
index 003eb63c3..2c93d86f0 100644
--- a/apps/routerconsole/jsp/confignet.jsp
+++ b/apps/routerconsole/jsp/confignet.jsp
@@ -1,16 +1,12 @@
 <%@page contentType="text/html" %>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config networking")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigNetHelper" id="nethelper" scope="request" />
 <jsp:setProperty name="nethelper" property="contextId" value="<%=i2pcontextId%>" />
 <h1><%=intl._t("I2P Network Configuration")%></h1>
diff --git a/apps/routerconsole/jsp/configpeer.jsp b/apps/routerconsole/jsp/configpeer.jsp
index b433027e2..a222c005e 100644
--- a/apps/routerconsole/jsp/configpeer.jsp
+++ b/apps/routerconsole/jsp/configpeer.jsp
@@ -4,9 +4,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config peers")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Peer Configuration")%></h1>
 <div class="main" id="config_peers">
diff --git a/apps/routerconsole/jsp/configplugins.jsp b/apps/routerconsole/jsp/configplugins.jsp
index 27adbd632..c6bb9ca50 100644
--- a/apps/routerconsole/jsp/configplugins.jsp
+++ b/apps/routerconsole/jsp/configplugins.jsp
@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config plugins")%>
@@ -11,12 +10,9 @@ button span.hide{
 }
 input.default { width: 1px; height: 1px; visibility: hidden; }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigClientsHelper" id="clientshelper" scope="request" />
 <jsp:setProperty name="clientshelper" property="contextId" value="<%=i2pcontextId%>" />
 <jsp:setProperty name="clientshelper" property="edit" value="<%=request.getParameter(\"edit\")%>" />
diff --git a/apps/routerconsole/jsp/configreseed.jsp b/apps/routerconsole/jsp/configreseed.jsp
index 728d3862b..e75301ab5 100644
--- a/apps/routerconsole/jsp/configreseed.jsp
+++ b/apps/routerconsole/jsp/configreseed.jsp
@@ -1,16 +1,12 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config reseeding")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigReseedHelper" id="reseedHelper" scope="request" />
 <jsp:setProperty name="reseedHelper" property="contextId" value="<%=i2pcontextId%>" />
 <h1><%=intl._t("I2P Reseeding Configuration")%></h1>
diff --git a/apps/routerconsole/jsp/configservice.jsp b/apps/routerconsole/jsp/configservice.jsp
index eeccee022..940635a6b 100644
--- a/apps/routerconsole/jsp/configservice.jsp
+++ b/apps/routerconsole/jsp/configservice.jsp
@@ -1,14 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config service")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Service Configuration")%></h1>
 <div class="main" id="config_service">
diff --git a/apps/routerconsole/jsp/configsidebar.jsp b/apps/routerconsole/jsp/configsidebar.jsp
index ea071841b..ff2d01699 100644
--- a/apps/routerconsole/jsp/configsidebar.jsp
+++ b/apps/routerconsole/jsp/configsidebar.jsp
@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config sidebar")%>
@@ -12,10 +11,8 @@ input.default {
     visibility: hidden;
 }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Sidebar Configuration")%></h1>
 <div class="main" id="config_summarybar">
diff --git a/apps/routerconsole/jsp/configstats.jsp b/apps/routerconsole/jsp/configstats.jsp
index dc65311d0..7dd5bfc21 100644
--- a/apps/routerconsole/jsp/configstats.jsp
+++ b/apps/routerconsole/jsp/configstats.jsp
@@ -2,14 +2,13 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("config stats")%>
 <noscript><style type="text/css">.script {display: none;}</style></noscript>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
 function init()
 {
 	checkAll = false;
diff --git a/apps/routerconsole/jsp/configtunnels.jsp b/apps/routerconsole/jsp/configtunnels.jsp
index 7673dd202..5a7253a44 100644
--- a/apps/routerconsole/jsp/configtunnels.jsp
+++ b/apps/routerconsole/jsp/configtunnels.jsp
@@ -1,16 +1,12 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config tunnels")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigTunnelsHelper" id="tunnelshelper" scope="request" />
 <jsp:setProperty name="tunnelshelper" property="contextId" value="<%=i2pcontextId%>" />
 <h1><%=intl._t("I2P Tunnel Configuration")%></h1>
diff --git a/apps/routerconsole/jsp/configui.jsp b/apps/routerconsole/jsp/configui.jsp
index 3f8b3a6e8..6caccc6d0 100644
--- a/apps/routerconsole/jsp/configui.jsp
+++ b/apps/routerconsole/jsp/configui.jsp
@@ -2,7 +2,6 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config UI")%>
@@ -13,12 +12,9 @@ input.default {
     visibility: hidden;
 }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigUIHelper" id="uihelper" scope="request" />
 <jsp:setProperty name="uihelper" property="contextId" value="<%=i2pcontextId%>" />
 
diff --git a/apps/routerconsole/jsp/configupdate.jsp b/apps/routerconsole/jsp/configupdate.jsp
index 0401fa017..ae6b0c450 100644
--- a/apps/routerconsole/jsp/configupdate.jsp
+++ b/apps/routerconsole/jsp/configupdate.jsp
@@ -2,14 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config update")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Update Configuration")%></h1>
 <div class="main" id="config_update">
diff --git a/apps/routerconsole/jsp/configwebapps.jsp b/apps/routerconsole/jsp/configwebapps.jsp
index 2b563283c..f379a12c6 100644
--- a/apps/routerconsole/jsp/configwebapps.jsp
+++ b/apps/routerconsole/jsp/configwebapps.jsp
@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config webapps")%>
@@ -11,12 +10,9 @@ button span.hide{
 }
 input.default { width: 1px; height: 1px; visibility: hidden; }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigClientsHelper" id="clientshelper" scope="request" />
 <jsp:setProperty name="clientshelper" property="contextId" value="<%=i2pcontextId%>" />
 <jsp:setProperty name="clientshelper" property="edit" value="<%=request.getParameter(\"edit\")%>" />
diff --git a/apps/routerconsole/jsp/console.jsp b/apps/routerconsole/jsp/console.jsp
index 3ed8353ce..446e51b85 100644
--- a/apps/routerconsole/jsp/console.jsp
+++ b/apps/routerconsole/jsp/console.jsp
@@ -2,19 +2,15 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("home")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%
     String consoleNonce = net.i2p.router.web.CSSHelper.getNonce();
 %>
-
 <%@include file="summary.jsi" %>
-
 <h1><%=intl._t("I2P Router Console")%></h1>
 <div class="news" id="news">
 <%
diff --git a/apps/routerconsole/jsp/csp-unsafe.jsi b/apps/routerconsole/jsp/csp-unsafe.jsi
new file mode 100644
index 000000000..720a26a17
--- /dev/null
+++ b/apps/routerconsole/jsp/csp-unsafe.jsi
@@ -0,0 +1,4 @@
+<%
+      // Add this AFTER css.jsi if there's any onclick attributes in the page
+      response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
+%>
diff --git a/apps/routerconsole/jsp/css.jsi b/apps/routerconsole/jsp/css.jsi
index 2687e532e..0550b226f 100644
--- a/apps/routerconsole/jsp/css.jsi
+++ b/apps/routerconsole/jsp/css.jsi
@@ -34,10 +34,14 @@
 <link rel="icon" href="<%=intl.getTheme(request.getHeader("User-Agent"))%>images/favicon.ico"><%
    response.setHeader("Accept-Ranges", "none");
 
+   String cspNonce = Integer.toHexString(net.i2p.util.RandomSource.getInstance().nextInt());
+
    // clickjacking
    if (intl.shouldSendXFrame()) {
       response.setHeader("X-Frame-Options", "SAMEORIGIN");
-      response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
+      // unsafe-inline is a fallback for browsers not supporting nonce
+      // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
+      response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'nonce-" + cspNonce + "'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
       response.setHeader("X-XSS-Protection", "1; mode=block");
       response.setHeader("X-Content-Type-Options", "nosniff");
    }
diff --git a/apps/routerconsole/jsp/debug.jsp b/apps/routerconsole/jsp/debug.jsp
index c93986352..cdbaa8456 100644
--- a/apps/routerconsole/jsp/debug.jsp
+++ b/apps/routerconsole/jsp/debug.jsp
@@ -9,9 +9,8 @@
 %>
 <html><head><title>I2P Router Console - Debug</title>
 <%@include file="css.jsi" %>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1>Router Debug</h1>
 <div class="main" id="debug">
diff --git a/apps/routerconsole/jsp/dns.jsp b/apps/routerconsole/jsp/dns.jsp
index 6a3021424..3826be399 100644
--- a/apps/routerconsole/jsp/dns.jsp
+++ b/apps/routerconsole/jsp/dns.jsp
@@ -21,24 +21,21 @@
     } else {
 %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("addressbook")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
-<script src="/js/iframed.js" type="text/javascript"></script>
+<script src="/js/iframed.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
   function setupFrame() {
       f = document.getElementById("susidnsframe");
       injectClass(f);
       resizeFrame(f);
   }
 </script>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <h1><%=intl._t("I2P Addressbook")%> <span class="newtab"><a href="/susidns/index" target="_blank" title="<%=intl._t("Open in new tab")%>"><img src="<%=intl.getTheme(request.getHeader("User-Agent"))%>images/newtab.png" /></a></span></h1>
 <div class="main" id="dns">
 <iframe src="/susidns/index" width="100%" height="100%" frameborder="0" border="0" name="susidnsframe" id="susidnsframe" onload="setupFrame()" allowtransparency="true">
diff --git a/apps/routerconsole/jsp/error.jsp b/apps/routerconsole/jsp/error.jsp
index a96de27e9..c565524c6 100644
--- a/apps/routerconsole/jsp/error.jsp
+++ b/apps/routerconsole/jsp/error.jsp
@@ -27,9 +27,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("Page Not Found")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=ERROR_CODE%>&nbsp;<%=ERROR_MESSAGE%></h1>
 <div class="sorry" id="warning">
diff --git a/apps/routerconsole/jsp/events.jsp b/apps/routerconsole/jsp/events.jsp
index 3b867f890..f22082261 100644
--- a/apps/routerconsole/jsp/events.jsp
+++ b/apps/routerconsole/jsp/events.jsp
@@ -2,7 +2,6 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("events")%>
@@ -14,9 +13,8 @@
     eventHelper.storeWriter(out);
     eventHelper.storeMethod(request.getMethod());
 %>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Event Log")%></h1>
 <div class="main" id="events">
diff --git a/apps/routerconsole/jsp/graph.jsp b/apps/routerconsole/jsp/graph.jsp
index debe4c60b..a81a39a21 100644
--- a/apps/routerconsole/jsp/graph.jsp
+++ b/apps/routerconsole/jsp/graph.jsp
@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("graphs")%>
@@ -12,9 +11,8 @@
 <%
     graphHelper.storeWriter(out);
 %>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <%
     // needs to be after the summary bar is rendered, so
diff --git a/apps/routerconsole/jsp/graphs.jsp b/apps/routerconsole/jsp/graphs.jsp
index c24f74bd6..2e03247c0 100644
--- a/apps/routerconsole/jsp/graphs.jsp
+++ b/apps/routerconsole/jsp/graphs.jsp
@@ -2,7 +2,6 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("graphs")%>
@@ -19,9 +18,8 @@
         out.print(graphHelper.getRefreshMeta());
     }
 %>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Performance Graphs")%></h1>
 <div class="main" id="graphs">
diff --git a/apps/routerconsole/jsp/help.jsp b/apps/routerconsole/jsp/help.jsp
index 2c5460194..f0e586f0a 100644
--- a/apps/routerconsole/jsp/help.jsp
+++ b/apps/routerconsole/jsp/help.jsp
@@ -5,9 +5,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("help")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Router Help and Support")%></h1>
 <div class="main" id="help">
diff --git a/apps/routerconsole/jsp/home.jsp b/apps/routerconsole/jsp/home.jsp
index 39cf6dfa2..553b746ab 100644
--- a/apps/routerconsole/jsp/home.jsp
+++ b/apps/routerconsole/jsp/home.jsp
@@ -4,9 +4,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("home")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%
     String consoleNonce = net.i2p.router.web.CSSHelper.getNonce();
 %>
diff --git a/apps/routerconsole/jsp/i2ptunnelmgr.jsp b/apps/routerconsole/jsp/i2ptunnelmgr.jsp
index c51b0243b..360bfb9e5 100644
--- a/apps/routerconsole/jsp/i2ptunnelmgr.jsp
+++ b/apps/routerconsole/jsp/i2ptunnelmgr.jsp
@@ -21,14 +21,13 @@
     } else {
 %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("Hidden Services Manager")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
-<script src="/js/iframed.js" type="text/javascript"></script>
+<script src="/js/iframed.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
   function injectClassSpecific(f) {
       var doc = 'contentDocument' in f? f.contentDocument : f.contentWindow.document;
       if (doc.getElementsByClassName == undefined) {
@@ -57,7 +56,7 @@
       resizeFrame(f);
   }
 </script>
-</head><body onload="initAjax()">
+</head><body>
 
 <%@include file="summary.jsi" %>
 
diff --git a/apps/routerconsole/jsp/jars.jsp b/apps/routerconsole/jsp/jars.jsp
index 0db353740..65ae4ce51 100644
--- a/apps/routerconsole/jsp/jars.jsp
+++ b/apps/routerconsole/jsp/jars.jsp
@@ -1,13 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("Jar File Dump")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %><h1>Jar File Dump</h1>
 <div class="main" id="jardump">
 <jsp:useBean class="net.i2p.router.web.helpers.FileDumpHelper" id="dumpHelper" scope="request" />
diff --git a/apps/routerconsole/jsp/jobs.jsp b/apps/routerconsole/jsp/jobs.jsp
index 09102085e..c55d4df00 100644
--- a/apps/routerconsole/jsp/jobs.jsp
+++ b/apps/routerconsole/jsp/jobs.jsp
@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("job queue")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %><h1><%=intl._t("I2P Router Job Queue")%></h1>
 <div class="main" id="jobs">
  <jsp:useBean class="net.i2p.router.web.helpers.JobQueueHelper" id="jobQueueHelper" scope="request" />
diff --git a/apps/routerconsole/jsp/logs.jsp b/apps/routerconsole/jsp/logs.jsp
index 16021b45b..f137582c5 100644
--- a/apps/routerconsole/jsp/logs.jsp
+++ b/apps/routerconsole/jsp/logs.jsp
@@ -1,13 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("logs")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Router Logs")%></h1>
 <div class="main" id="logs">
diff --git a/apps/routerconsole/jsp/netdb.jsp b/apps/routerconsole/jsp/netdb.jsp
index 6409b2d71..cb61276af 100644
--- a/apps/routerconsole/jsp/netdb.jsp
+++ b/apps/routerconsole/jsp/netdb.jsp
@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("network database")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Network Database")%></h1>
 <div class="main" id="netdb">
diff --git a/apps/routerconsole/jsp/news.jsp b/apps/routerconsole/jsp/news.jsp
index 33c62379d..ea7b87d53 100644
--- a/apps/routerconsole/jsp/news.jsp
+++ b/apps/routerconsole/jsp/news.jsp
@@ -1,13 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("News")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("Latest News")%></h1>
 <div class="main" id="news">
diff --git a/apps/routerconsole/jsp/nowebapp.jsp b/apps/routerconsole/jsp/nowebapp.jsp
index 952066de3..d481f544d 100644
--- a/apps/routerconsole/jsp/nowebapp.jsp
+++ b/apps/routerconsole/jsp/nowebapp.jsp
@@ -7,9 +7,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("WebApp Not Found")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("Web Application Not Running")%></h1>
 <div class="sorry" id="warning">
diff --git a/apps/routerconsole/jsp/oldconsole.jsp b/apps/routerconsole/jsp/oldconsole.jsp
index 1ac2578ad..c30d97309 100644
--- a/apps/routerconsole/jsp/oldconsole.jsp
+++ b/apps/routerconsole/jsp/oldconsole.jsp
@@ -9,9 +9,8 @@
 %>
 <html><head><title>I2P Router Console - internals</title>
 <%@include file="css.jsi" %>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <jsp:useBean class="net.i2p.router.web.helpers.OldConsoleHelper" id="conhelper" scope="request" />
 <jsp:setProperty name="conhelper" property="contextId" value="<%=i2pcontextId%>" />
diff --git a/apps/routerconsole/jsp/peers.jsp b/apps/routerconsole/jsp/peers.jsp
index b346ec373..95ae30e23 100644
--- a/apps/routerconsole/jsp/peers.jsp
+++ b/apps/routerconsole/jsp/peers.jsp
@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("peer connections")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Network Peers")%></h1>
 <div class="main" id="peers">
diff --git a/apps/routerconsole/jsp/profiles.jsp b/apps/routerconsole/jsp/profiles.jsp
index eea5cdfe0..e96ed25ba 100644
--- a/apps/routerconsole/jsp/profiles.jsp
+++ b/apps/routerconsole/jsp/profiles.jsp
@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("peer profiles")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Network Peer Profiles")%></h1>
 <div class="main" id="profiles"><div class="wideload">
diff --git a/apps/routerconsole/jsp/proof.jsp b/apps/routerconsole/jsp/proof.jsp
index 0c4081f76..7f74b6a06 100644
--- a/apps/routerconsole/jsp/proof.jsp
+++ b/apps/routerconsole/jsp/proof.jsp
@@ -1,13 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("Proof")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %><h1>Proof of Ownership</h1>
 <div class="main" id="proof"><p>
 <jsp:useBean class="net.i2p.router.web.helpers.ProofHelper" id="proofHelper" scope="request" />
diff --git a/apps/routerconsole/jsp/stats.jsp b/apps/routerconsole/jsp/stats.jsp
index 1e72f75d3..4b980bebc 100644
--- a/apps/routerconsole/jsp/stats.jsp
+++ b/apps/routerconsole/jsp/stats.jsp
@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("statistics")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <jsp:useBean class="net.i2p.router.web.helpers.OldConsoleHelper" id="oldhelper" scope="request" />
 <jsp:setProperty name="oldhelper" property="contextId" value="<%=i2pcontextId%>" />
diff --git a/apps/routerconsole/jsp/summaryajax.jsi b/apps/routerconsole/jsp/summaryajax.jsi
index 13abfce24..136022636 100644
--- a/apps/routerconsole/jsp/summaryajax.jsi
+++ b/apps/routerconsole/jsp/summaryajax.jsi
@@ -1,5 +1,7 @@
-<script type="text/javascript">
+<script src="/js/ajax.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" type="text/javascript">
   var failMessage = "<hr><b><%=intl._t("Router is down")%><\/b>";
   function requestAjax1() { ajax("/xhr1.jsp?requestURI=<%=request.getRequestURI()%>", "xhr", <%=intl.getRefresh()%>000); }
   function initAjax() { setTimeout(requestAjax1, <%=intl.getRefresh()%>000);  }
+  initAjax();
 </script>
diff --git a/apps/routerconsole/jsp/torrents.jsp b/apps/routerconsole/jsp/torrents.jsp
index d7215ade7..eeec5e457 100644
--- a/apps/routerconsole/jsp/torrents.jsp
+++ b/apps/routerconsole/jsp/torrents.jsp
@@ -22,24 +22,21 @@
     } else {
 %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("torrents")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
-<script src="/js/iframed.js" type="text/javascript"></script>
+<script src="/js/iframed.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
   function setupFrame() {
       f = document.getElementById("i2psnarkframe");
       injectClass(f);
       resizeFrame(f);
   }
 </script>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <h1><%=intl._t("I2P Torrent Manager")%> <span class="newtab"><a href="/i2psnark/" target="_blank" title="<%=intl._t("Open in new tab")%>"><img src="<%=intl.getTheme(request.getHeader("User-Agent"))%>images/newtab.png" /></a></span></h1>
 <div class="main" id="torrents">
 <iframe src="/i2psnark/" width="100%" height="100%" frameborder="0" border="0" name="i2psnarkframe" id="i2psnarkframe" onload="setupFrame()" allowtransparency="true">
diff --git a/apps/routerconsole/jsp/tunnels.jsp b/apps/routerconsole/jsp/tunnels.jsp
index 27eba0ccd..016d42c33 100644
--- a/apps/routerconsole/jsp/tunnels.jsp
+++ b/apps/routerconsole/jsp/tunnels.jsp
@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("tunnel summary")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %><h1><%=intl._t("I2P Tunnel Summary")%></h1>
 <div class="main" id="tunnels">
  <jsp:useBean class="net.i2p.router.web.helpers.TunnelHelper" id="tunnelHelper" scope="request" />
diff --git a/apps/routerconsole/jsp/viewprofile.jsp b/apps/routerconsole/jsp/viewprofile.jsp
index ff6fae53b..feef4cb0c 100644
--- a/apps/routerconsole/jsp/viewprofile.jsp
+++ b/apps/routerconsole/jsp/viewprofile.jsp
@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("Peer Profile")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("Peer Profile")%></h1>
 <div class="main" id="view_profile"><div class="wideload">
diff --git a/apps/routerconsole/jsp/webmail.jsp b/apps/routerconsole/jsp/webmail.jsp
index 6491e0212..b0c321557 100644
--- a/apps/routerconsole/jsp/webmail.jsp
+++ b/apps/routerconsole/jsp/webmail.jsp
@@ -22,24 +22,21 @@
     } else {
 %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("webmail")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
-<script src="/js/iframed.js" type="text/javascript"></script>
+<script src="/js/iframed.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
   function setupFrame() {
       f = document.getElementById("susimailframe");
       injectClass(f);
       resizeFrame(f);
   }
 </script>
-</head><body onload="initAjax()">
-
+</head><body>
 <%@include file="summary.jsi" %>
-
 <h1><%=intl._t("I2P Webmail")%> <span class="newtab"><a href="/susimail/" target="_blank" title="<%=intl._t("Open in new tab")%>"><img src="<%=intl.getTheme(request.getHeader("User-Agent"))%>images/newtab.png" /></a></span></h1>
 <div class="main" id="webmail">
 <iframe src="/susimail/" width="100%" height="100%" frameborder="0" border="0" name="susimailframe" id="susimailframe" onload="setupFrame()" allowtransparency="true">
diff --git a/apps/routerconsole/jsp/welcome.jsp b/apps/routerconsole/jsp/welcome.jsp
index e00d3d587..c091faa1e 100644
--- a/apps/routerconsole/jsp/welcome.jsp
+++ b/apps/routerconsole/jsp/welcome.jsp
@@ -66,8 +66,8 @@
     wizhelper.setContextId(i2pcontextId);
     if (ipg == 4) {
 %>
-<script src="/js/welcomeajax.js" type="text/javascript"></script>
-<script type="text/javascript">
+<script src="/js/welcomeajax.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" type="text/javascript">
   var failMessage = "<b><%=intl._t("Router is down")%><\/b>";
   var progressMessage = "<b><%=intl._t("Bandwidth test in progress...")%><\/b>";
   var doneMessage = "<b><%=intl._t("Bandwidth test is complete, click Next")%><\/b>";
@@ -76,22 +76,12 @@
      document.getElementById("xhr").innerHTML = progressMessage;
      setTimeout(requestAjax1, "1000");
   }
+  initAjax();
 </script>
 <%
-    }
-%>
-</head>
-<%
-    if (ipg == 4) {
-%>
-<body onload="initAjax()">
-<%
-    } else {
-%>
-<body>
-<%
-    }
+    }  // ipg == 4
 %>
+</head><body>
 <div id="wizard" class="overlay">
 
 <jsp:useBean class="net.i2p.router.web.helpers.WizardHandler" id="formhandler" scope="request" />
diff --git a/apps/susidns/src/jsp/addressbook.jsp b/apps/susidns/src/jsp/addressbook.jsp
index e4fe3f5c5..bc35f641c 100644
--- a/apps/susidns/src/jsp/addressbook.jsp
+++ b/apps/susidns/src/jsp/addressbook.jsp
@@ -28,7 +28,7 @@
         request.setCharacterEncoding("UTF-8");
 
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
     response.setHeader("X-Content-Type-Options", "nosniff");
     response.setHeader("Referrer-Policy", "no-referrer");
@@ -57,7 +57,7 @@
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 <title>${book.book} <%=intl._t("address book")%> - susidns</title>
 <link rel="stylesheet" type="text/css" href="<%=book.getTheme()%>susidns.css?<%=net.i2p.CoreVersion.VERSION%>">
-<script src="/js/resetScroll.js" type="text/javascript"></script>
+<script src="/js/resetScroll.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
 </head>
 <body>
 <div class="page">
diff --git a/apps/susidns/src/jsp/config.jsp b/apps/susidns/src/jsp/config.jsp
index 6f3cdf9af..1e0897d28 100644
--- a/apps/susidns/src/jsp/config.jsp
+++ b/apps/susidns/src/jsp/config.jsp
@@ -22,19 +22,8 @@
  *
  * $Revision: 1.1 $
  */
-
-    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
-    if (request.getCharacterEncoding() == null)
-        request.setCharacterEncoding("UTF-8");
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
 %>
+<%@include file="headers.jsi" %>
 <%@page pageEncoding="UTF-8"%>
 <%@ page contentType="text/html" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
diff --git a/apps/susidns/src/jsp/details.jsp b/apps/susidns/src/jsp/details.jsp
index d5bb50515..6ec14814d 100644
--- a/apps/susidns/src/jsp/details.jsp
+++ b/apps/susidns/src/jsp/details.jsp
@@ -19,19 +19,8 @@
  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  *
  */
-
-    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
-    if (request.getCharacterEncoding() == null)
-        request.setCharacterEncoding("UTF-8");
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
 %>
+<%@include file="headers.jsi" %>
 <%@page pageEncoding="UTF-8"%>
 <%@ page contentType="text/html"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
diff --git a/apps/susidns/src/jsp/headers.jsi b/apps/susidns/src/jsp/headers.jsi
new file mode 100644
index 000000000..4e7f145b2
--- /dev/null
+++ b/apps/susidns/src/jsp/headers.jsi
@@ -0,0 +1,12 @@
+<%
+    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
+    if (request.getCharacterEncoding() == null)
+        request.setCharacterEncoding("UTF-8");
+
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
+    response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
+    response.setHeader("Referrer-Policy", "no-referrer");
+    response.setHeader("Accept-Ranges", "none");
+%>
diff --git a/apps/susidns/src/jsp/index.jsp b/apps/susidns/src/jsp/index.jsp
index c7e83eeec..b63ad7483 100644
--- a/apps/susidns/src/jsp/index.jsp
+++ b/apps/susidns/src/jsp/index.jsp
@@ -28,7 +28,7 @@
         request.setCharacterEncoding("UTF-8");
 
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'none'; form-action 'self'; frame-ancestors 'self'; media-src 'none'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
     response.setHeader("X-Content-Type-Options", "nosniff");
     response.setHeader("Referrer-Policy", "no-referrer");
diff --git a/apps/susidns/src/jsp/subscriptions.jsp b/apps/susidns/src/jsp/subscriptions.jsp
index 3f1810369..2562c4259 100644
--- a/apps/susidns/src/jsp/subscriptions.jsp
+++ b/apps/susidns/src/jsp/subscriptions.jsp
@@ -22,19 +22,8 @@
  *
  * $Revision: 1.2 $
  */
-
-    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
-    if (request.getCharacterEncoding() == null)
-        request.setCharacterEncoding("UTF-8");
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
 %>
+<%@include file="headers.jsi" %>
 <%@page pageEncoding="UTF-8"%>
 <%@ page contentType="text/html"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
diff --git a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
index 41c11d5e9..e70c09225 100644
--- a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
+++ b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
@@ -2008,7 +2008,7 @@ public class WebMail extends HttpServlet
 		httpRequest.setCharacterEncoding("UTF-8");
 		response.setCharacterEncoding("UTF-8");
                 response.setHeader("X-Frame-Options", "SAMEORIGIN");
-                response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
+                response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
                 response.setHeader("X-XSS-Protection", "1; mode=block");
 		response.setHeader("X-Content-Type-Options", "nosniff");
 		response.setHeader("Referrer-Policy", "no-referrer");