diff --git a/apps/addressbook/web.xml b/apps/addressbook/web.xml
index b791b4ea0e887b8027008db37bfc7ae345d4516c..1aebb0d0964a4e6db360cd5e5b83881a71715404 100644
--- a/apps/addressbook/web.xml
+++ b/apps/addressbook/web.xml
@@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
+ <filter>
+ <filter-name>XSSFilter</filter-name>
+ <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<servlet>
<servlet-name>addressbook</servlet-name>
<servlet-class>net.i2p.addressbook.Servlet</servlet-class>
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 1393238a3c55934fce2a5338a0aea3fb755b8243..75aa762856ed10db030317b5fc96a9e06bea5e13 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -159,7 +159,7 @@ public class I2PSnarkServlet extends BasicServlet {
// this is the part after /i2psnark
String path = req.getServletPath();
resp.setHeader("X-Frame-Options", "SAMEORIGIN");
- resp.setHeader("Content-Security-Policy", "default-src 'self'");
+ resp.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
resp.setHeader("X-XSS-Protection", "1; mode=block");
String peerParam = req.getParameter("p");
diff --git a/apps/i2psnark/web.xml b/apps/i2psnark/web.xml
index 2925ff00e3267ce2a2539db7ca0e61ba489a1b46..68e6abd6412fd4bac016ddb8c83c1a3a75f090e4 100644
--- a/apps/i2psnark/web.xml
+++ b/apps/i2psnark/web.xml
@@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
+ <filter>
+ <filter-name>XSSFilter</filter-name>
+ <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<servlet>
<servlet-name>org.klomp.snark.web.I2PSnarkServlet</servlet-name>
<servlet-class>org.klomp.snark.web.I2PSnarkServlet</servlet-class>
diff --git a/apps/i2ptunnel/jsp/edit.jsp b/apps/i2ptunnel/jsp/edit.jsp
index bbe562eef053e55f515d9871af8a069f2264b08b..08b07c7a5995e14a2cc9a8ec05bde79d5482d1e9 100644
--- a/apps/i2ptunnel/jsp/edit.jsp
+++ b/apps/i2ptunnel/jsp/edit.jsp
@@ -2,7 +2,7 @@
// NOTE: Do the header carefully so there is no whitespace before the <?xml... line
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8"
diff --git a/apps/i2ptunnel/jsp/index.jsp b/apps/i2ptunnel/jsp/index.jsp
index 8a401d68b7558282e75bab550fd6128ca5d93e13..f1117a272a64938d1ce5d711ba137fb93986e956 100644
--- a/apps/i2ptunnel/jsp/index.jsp
+++ b/apps/i2ptunnel/jsp/index.jsp
@@ -6,7 +6,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8"
diff --git a/apps/i2ptunnel/jsp/web.xml b/apps/i2ptunnel/jsp/web.xml
index d8d51c82396d19b6e52c1aa16bcf048440733288..1fd11c13d8adb73bab7a400ef46d2a6cedc60a3c 100644
--- a/apps/i2ptunnel/jsp/web.xml
+++ b/apps/i2ptunnel/jsp/web.xml
@@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
+ <filter>
+ <filter-name>XSSFilter</filter-name>
+ <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<!-- precompiled servlets -->
<!-- yeah we could do this in a handler but this is easier -->
diff --git a/apps/i2ptunnel/jsp/wizard.jsp b/apps/i2ptunnel/jsp/wizard.jsp
index b885b5afe6cfabf08d2b71e1caa6bbb75ae5b53a..0749bb54ab4c465fd59fb86689a77dca19497a55 100644
--- a/apps/i2ptunnel/jsp/wizard.jsp
+++ b/apps/i2ptunnel/jsp/wizard.jsp
@@ -6,7 +6,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8"
diff --git a/apps/routerconsole/jsp/css.jsi b/apps/routerconsole/jsp/css.jsi
index a9446b037c5834122d7cd086c21e1a45c07517df..50c70d875c1ccfeb115de598c46fc5a45e1f0bcf 100644
--- a/apps/routerconsole/jsp/css.jsi
+++ b/apps/routerconsole/jsp/css.jsi
@@ -32,7 +32,7 @@
// clickjacking
if (intl.shouldSendXFrame()) {
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
}
diff --git a/apps/susidns/src/WEB-INF/web-template.xml b/apps/susidns/src/WEB-INF/web-template.xml
index 912be2f4cc5f7e0caa7f1f96123aacc9da1b5719..599826246b4edbb48d0f426db5a7bf53dcd0d566 100644
--- a/apps/susidns/src/WEB-INF/web-template.xml
+++ b/apps/susidns/src/WEB-INF/web-template.xml
@@ -3,6 +3,15 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
+ <filter>
+ <filter-name>XSSFilter</filter-name>
+ <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<display-name>susidns</display-name>
<!-- precompiled servlets -->
diff --git a/apps/susidns/src/jsp/config.jsp b/apps/susidns/src/jsp/config.jsp
index 1a9fb918d14bfba96a276afaf9c89036d947ce59..6a650d3f5d1d5ed19e458562978ef1d2e3c531d9 100644
--- a/apps/susidns/src/jsp/config.jsp
+++ b/apps/susidns/src/jsp/config.jsp
@@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
diff --git a/apps/susidns/src/jsp/details.jsp b/apps/susidns/src/jsp/details.jsp
index cc0ba4df64d05d2b8d42ade05f779e74a6a3c134..9334e43ca74d01533933d57973daa78dcf15eb6b 100644
--- a/apps/susidns/src/jsp/details.jsp
+++ b/apps/susidns/src/jsp/details.jsp
@@ -25,7 +25,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
diff --git a/apps/susidns/src/jsp/index.jsp b/apps/susidns/src/jsp/index.jsp
index 8c50f667405b0d5178ce12468dfb4cb7b0a07ce5..505beeec7fd017b0fe8652a4024d5618d1cbab1e 100644
--- a/apps/susidns/src/jsp/index.jsp
+++ b/apps/susidns/src/jsp/index.jsp
@@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
diff --git a/apps/susidns/src/jsp/subscriptions.jsp b/apps/susidns/src/jsp/subscriptions.jsp
index 002687003cf7186fad4368608c65fab1f76cd6db..db588c6a8dd52d27ecfdae4a3128802b7ed17b6c 100644
--- a/apps/susidns/src/jsp/subscriptions.jsp
+++ b/apps/susidns/src/jsp/subscriptions.jsp
@@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
diff --git a/apps/susimail/src/WEB-INF/web.xml b/apps/susimail/src/WEB-INF/web.xml
index 75aa1fd48458fa0c2eaac924a69196989af10900..23adde2d5b4eb77df38bfc366c1a640b85b25e30 100644
--- a/apps/susimail/src/WEB-INF/web.xml
+++ b/apps/susimail/src/WEB-INF/web.xml
@@ -3,6 +3,15 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
+ <filter>
+ <filter-name>XSSFilter</filter-name>
+ <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<display-name>susimail</display-name>
<servlet>
<servlet-name>SusiMail</servlet-name>
diff --git a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
index a9391efc433dd5c9d6f631cbe89ac7da84f3d058..b67dbdfb80566232d62bbf4665d3d252d87b48d2 100644
--- a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
+++ b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
@@ -1562,7 +1562,7 @@ public class WebMail extends HttpServlet
httpRequest.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
RequestWrapper request = new RequestWrapper( httpRequest );
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index 78754ef283e16db5cd2b1d1d3233ad3f5d57cdce..601535dbe67ba1041e3cbf512b3420489cd8bf41 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
/** deprecated */
public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION;
- public final static long BUILD = 20;
+ public final static long BUILD = 21;
/** for example "-test" */
public final static String EXTRA = "-rc";