BryanDavis has uploaded a new change for review.
https://gerrit.wikimedia.org/r/325155
Change subject: Move custom js to file and tighten CSP rules
......................................................................
Move custom js to file and tighten CSP rules
Move the inline javascript for session keepalive to a static js file.
This is needed to comply with the content security policy of 'self'
which keeps inline javascript from executing.
The prior update of jQuery and Modernizer versions also allows us to
update the content security policy rules to exclude unsafe-inline
styles. The rules used are fundamentally the same rules used by Striker
with the addition of data: as an image source which is needed by the
inline sprites used in main.css.
Change-Id: I3b4862c78953a2e82b74f9f150aa228d51476ed4
---
M data/templates/apply.html
R public/js/apply.js
M src/App.php
3 files changed, 26 insertions(+), 5 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/wikimedia/wikimania-scholarships
refs/changes/55/325155/1
diff --git a/data/templates/apply.html b/data/templates/apply.html
index 5b477aa..4d880c8 100644
--- a/data/templates/apply.html
+++ b/data/templates/apply.html
@@ -18,9 +18,7 @@
{% block nav_li_apply %}class="active"{% endblock %}
{% block javascript %}
-<script type="text/javascript">
-{% include 'apply.js' %}
-</script>
+<script src="{{ siteUrl( 'js/apply.js' ) }}"></script>
{% endblock javascript %}
{% block content %}
diff --git a/data/templates/apply.js b/public/js/apply.js
similarity index 92%
rename from data/templates/apply.js
rename to public/js/apply.js
index 14070c0..7d7e132 100644
--- a/data/templates/apply.js
+++ b/public/js/apply.js
@@ -3,10 +3,10 @@
lastActive = 0,
refreshCsrf = function() {
return $.getJSON(
- '{{ urlFor( "revalidatecsrf") }}',
+ '/apply/revalidatecsrf',
function( data ) {
var $token = $( '#token' );
- $token.val( data[ "{{ csrf_param }}" ] );
+ $token.val( data[ "csrf_token" ] );
console.log( 'csrf token: ' + $token.val() );
}
);
diff --git a/src/App.php b/src/App.php
index 272d31b..6f48f68 100644
--- a/src/App.php
+++ b/src/App.php
@@ -494,4 +494,27 @@
} );
}
+ /**
+ * @inherit
+ */
+ protected function configureHeaderMiddleware() {
+ $headers = parent::configureHeaderMiddleware();
+ $headers['Content-Security-Policy'] =
+ "style-src 'self'; " .
+ "form-action 'self'; " .
+ "font-src 'self'; ".
+ "child-src 'none'; " .
+ "connect-src 'self'; " .
+ "script-src 'self'; " .
+ "sandbox allow-forms allow-same-origin allow-scripts
allow-top-navigation; " .
+ "object-src 'none'; " .
+ "default-src 'none'; " .
+ "frame-ancestors 'none'; " .
+ "media-src 'none'; " .
+ "base-uri 'none'; " .
+ // Needed for css data:... sprites
+ "img-src 'self' data:;";
+ return $headers;
+ }
+
} // end App
--
To view, visit https://gerrit.wikimedia.org/r/325155
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3b4862c78953a2e82b74f9f150aa228d51476ed4
Gerrit-PatchSet: 1
Gerrit-Project: wikimedia/wikimania-scholarships
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
