Fossil SCM
Fix the default-csp setting to conform to the spec: Use the default CSP if the setting is an empty string.
Commit
6b5606d8321c396e9a1fae769ead698d63d657d397b27749fe147cbb56bca27c
Parent
503354d1cad453c…
1 file changed
+1
-19
+1
-19
| --- src/style.c | ||
| +++ src/style.c | ||
| @@ -84,16 +84,10 @@ | ||
| 84 | 84 | /* |
| 85 | 85 | ** Submenu disable flag |
| 86 | 86 | */ |
| 87 | 87 | static int submenuEnable = 1; |
| 88 | 88 | |
| 89 | -/* | |
| 90 | -** Disable content-security-policy. | |
| 91 | -** Warning: Do not disable the CSP without careful consideration! | |
| 92 | -*/ | |
| 93 | -static int disableCSP = 0; | |
| 94 | - | |
| 95 | 89 | /* |
| 96 | 90 | ** Flags for various javascript files needed prior to </body> |
| 97 | 91 | */ |
| 98 | 92 | static int needHrefJs = 0; /* href.js */ |
| 99 | 93 | |
| @@ -608,13 +602,12 @@ | ||
| 608 | 602 | const char *zFormat; |
| 609 | 603 | Blob csp; |
| 610 | 604 | char *zNonce; |
| 611 | 605 | char *zCsp; |
| 612 | 606 | int i; |
| 613 | - if( disableCSP ) return fossil_strdup(""); | |
| 614 | 607 | zFormat = db_get("default-csp",0); |
| 615 | - if( zFormat==0 ){ | |
| 608 | + if( zFormat==0 || zFormat[0]==0 ){ | |
| 616 | 609 | zFormat = zBackupCSP; |
| 617 | 610 | } |
| 618 | 611 | blob_init(&csp, 0, 0); |
| 619 | 612 | while( zFormat[0] && (zNonce = strstr(zFormat,"$nonce"))!=0 ){ |
| 620 | 613 | blob_append(&csp, zFormat, (int)(zNonce - zFormat)); |
| @@ -630,21 +623,10 @@ | ||
| 630 | 623 | cgi_printf_header("Content-Security-Policy: %s\r\n", zCsp); |
| 631 | 624 | } |
| 632 | 625 | return zCsp; |
| 633 | 626 | } |
| 634 | 627 | |
| 635 | -/* | |
| 636 | -** Disable content security policy for the current page. | |
| 637 | -** WARNING: Do not do this lightly! | |
| 638 | -** | |
| 639 | -** This routine must be called before the CSP is sued by | |
| 640 | -** style_header(). | |
| 641 | -*/ | |
| 642 | -void style_disable_csp(void){ | |
| 643 | - disableCSP = 1; | |
| 644 | -} | |
| 645 | - | |
| 646 | 628 | /* |
| 647 | 629 | ** Default HTML page header text through <body>. If the repository-specific |
| 648 | 630 | ** header template lacks a <body> tag, then all of the following is |
| 649 | 631 | ** prepended. |
| 650 | 632 | */ |
| 651 | 633 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -84,16 +84,10 @@ | |
| 84 | /* |
| 85 | ** Submenu disable flag |
| 86 | */ |
| 87 | static int submenuEnable = 1; |
| 88 | |
| 89 | /* |
| 90 | ** Disable content-security-policy. |
| 91 | ** Warning: Do not disable the CSP without careful consideration! |
| 92 | */ |
| 93 | static int disableCSP = 0; |
| 94 | |
| 95 | /* |
| 96 | ** Flags for various javascript files needed prior to </body> |
| 97 | */ |
| 98 | static int needHrefJs = 0; /* href.js */ |
| 99 | |
| @@ -608,13 +602,12 @@ | |
| 608 | const char *zFormat; |
| 609 | Blob csp; |
| 610 | char *zNonce; |
| 611 | char *zCsp; |
| 612 | int i; |
| 613 | if( disableCSP ) return fossil_strdup(""); |
| 614 | zFormat = db_get("default-csp",0); |
| 615 | if( zFormat==0 ){ |
| 616 | zFormat = zBackupCSP; |
| 617 | } |
| 618 | blob_init(&csp, 0, 0); |
| 619 | while( zFormat[0] && (zNonce = strstr(zFormat,"$nonce"))!=0 ){ |
| 620 | blob_append(&csp, zFormat, (int)(zNonce - zFormat)); |
| @@ -630,21 +623,10 @@ | |
| 630 | cgi_printf_header("Content-Security-Policy: %s\r\n", zCsp); |
| 631 | } |
| 632 | return zCsp; |
| 633 | } |
| 634 | |
| 635 | /* |
| 636 | ** Disable content security policy for the current page. |
| 637 | ** WARNING: Do not do this lightly! |
| 638 | ** |
| 639 | ** This routine must be called before the CSP is sued by |
| 640 | ** style_header(). |
| 641 | */ |
| 642 | void style_disable_csp(void){ |
| 643 | disableCSP = 1; |
| 644 | } |
| 645 | |
| 646 | /* |
| 647 | ** Default HTML page header text through <body>. If the repository-specific |
| 648 | ** header template lacks a <body> tag, then all of the following is |
| 649 | ** prepended. |
| 650 | */ |
| 651 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -84,16 +84,10 @@ | |
| 84 | /* |
| 85 | ** Submenu disable flag |
| 86 | */ |
| 87 | static int submenuEnable = 1; |
| 88 | |
| 89 | /* |
| 90 | ** Flags for various javascript files needed prior to </body> |
| 91 | */ |
| 92 | static int needHrefJs = 0; /* href.js */ |
| 93 | |
| @@ -608,13 +602,12 @@ | |
| 602 | const char *zFormat; |
| 603 | Blob csp; |
| 604 | char *zNonce; |
| 605 | char *zCsp; |
| 606 | int i; |
| 607 | zFormat = db_get("default-csp",0); |
| 608 | if( zFormat==0 || zFormat[0]==0 ){ |
| 609 | zFormat = zBackupCSP; |
| 610 | } |
| 611 | blob_init(&csp, 0, 0); |
| 612 | while( zFormat[0] && (zNonce = strstr(zFormat,"$nonce"))!=0 ){ |
| 613 | blob_append(&csp, zFormat, (int)(zNonce - zFormat)); |
| @@ -630,21 +623,10 @@ | |
| 623 | cgi_printf_header("Content-Security-Policy: %s\r\n", zCsp); |
| 624 | } |
| 625 | return zCsp; |
| 626 | } |
| 627 | |
| 628 | /* |
| 629 | ** Default HTML page header text through <body>. If the repository-specific |
| 630 | ** header template lacks a <body> tag, then all of the following is |
| 631 | ** prepended. |
| 632 | */ |
| 633 |