jenkins-bot has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/325155 )
Change subject: Move custom js to file and tighten CSP rules
......................................................................
Move custom js to file and tighten CSP rules
Move the inline javascript for session keepalive to a static js file.
This is needed to comply with the content security policy of 'self'
which keeps inline javascript from executing.
The prior update of jQuery and Modernizer versions also allows us to
update the content security policy rules to exclude unsafe-inline
styles. The rules used are fundamentally the same rules used by Striker
with the addition of data: as an image source which is needed by the
inline sprites used in main.css.
Change-Id: I3b4862c78953a2e82b74f9f150aa228d51476ed4
---
M data/templates/apply.html
R public/js/apply.js
M src/App.php
3 files changed, 26 insertions(+), 5 deletions(-)
Approvals:
Niharika29: Looks good to me, approved
jenkins-bot: Verified
diff --git a/data/templates/apply.html b/data/templates/apply.html
index 5b477aa..4d880c8 100644
--- a/data/templates/apply.html
+++ b/data/templates/apply.html
@@ -18,9 +18,7 @@
{% block nav_li_apply %}class="active"{% endblock %}
{% block javascript %}
-<script type="text/javascript">
-{% include 'apply.js' %}
-</script>
+<script src="{{ siteUrl( 'js/apply.js' ) }}"></script>
{% endblock javascript %}
{% block content %}
diff --git a/data/templates/apply.js b/public/js/apply.js
similarity index 92%
rename from data/templates/apply.js
rename to public/js/apply.js
index 14070c0..3f463be 100644
--- a/data/templates/apply.js
+++ b/public/js/apply.js
@@ -3,10 +3,10 @@
lastActive = 0,
refreshCsrf = function() {
return $.getJSON(
- '{{ urlFor( "revalidatecsrf") }}',
+ '/apply/revalidatecsrf',
function( data ) {
var $token = $( '#token' );
- $token.val( data[ "{{ csrf_param }}" ] );
+ $token.val( data.csrf_token );
console.log( 'csrf token: ' + $token.val() );
}
);
diff --git a/src/App.php b/src/App.php
index 272d31b..6f48f68 100644
--- a/src/App.php
+++ b/src/App.php
@@ -494,4 +494,27 @@
} );
}
+ /**
+ * @inherit
+ */
+ protected function configureHeaderMiddleware() {
+ $headers = parent::configureHeaderMiddleware();
+ $headers['Content-Security-Policy'] =
+ "style-src 'self'; " .
+ "form-action 'self'; " .
+ "font-src 'self'; ".
+ "child-src 'none'; " .
+ "connect-src 'self'; " .
+ "script-src 'self'; " .
+ "sandbox allow-forms allow-same-origin allow-scripts
allow-top-navigation; " .
+ "object-src 'none'; " .
+ "default-src 'none'; " .
+ "frame-ancestors 'none'; " .
+ "media-src 'none'; " .
+ "base-uri 'none'; " .
+ // Needed for css data:... sprites
+ "img-src 'self' data:;";
+ return $headers;
+ }
+
} // end App
--
To view, visit https://gerrit.wikimedia.org/r/325155
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I3b4862c78953a2e82b74f9f150aa228d51476ed4
Gerrit-PatchSet: 5
Gerrit-Project: wikimedia/wikimania-scholarships
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <[email protected]>
Gerrit-Reviewer: Niharika29 <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
