AGentooCat/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Console, webapps: CSP improvements

Browse Source 
i2ptunnel, susidns: Add headers.jsi
Console: Remove onload and use nonce for inline scripts where able
Version remaining js links
This commit is contained in:
zzz
2019-12-25 12:18:00 +00:00
parent 63b48e30be
commit fa9f60bcd9
64 changed files with 118 additions and 279 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
apps/jetty/java/src/net/i2p/servlet/ErrorServlet.java
View File

@@ -90,7 +90,7 @@ public class ErrorServlet extends HttpServlet {
resp.setDateHeader("Expires", 0);
resp.setHeader("Cache-Control", "no-store, max-age=0, no-cache, must-revalidate");
resp.setHeader("Pragma", "no-cache");
resp.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'none'");
resp.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'none'; form-action 'none'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
Integer ERROR_CODE = (Integer) req.getAttribute("javax.servlet.error.status_code");
String ERROR_URI = (String) req.getAttribute("javax.servlet.error.request_uri");
String ERROR_MESSAGE = (String) req.getAttribute("javax.servlet.error.message");
@@ -114,6 +114,7 @@ public class ErrorServlet extends HttpServlet {
ERROR_URI.endsWith(".ico") ||
ERROR_URI.endsWith(".svg") ||
ERROR_URI.endsWith(".txt") ||
ERROR_URI.endsWith(".js") ||
ERROR_URI.endsWith(".css"))) {
// keep it simple
resp.setContentType("text/plain");