marek/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Fix CSP to allow inline style and refresh

Browse Source 
Add filter to all webapps
This commit is contained in:
zzz
2014-07-26 11:01:16 +00:00
parent 99401c5639
commit 4746d9eb80
16 changed files with 56 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
apps/addressbook/web.xml
View File

@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>addressbook</servlet-name>
<servlet-class>net.i2p.addressbook.Servlet</servlet-class>

2
apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
View File

@ -159,7 +159,7 @@ public class I2PSnarkServlet extends BasicServlet {
// this is the part after /i2psnark
String path = req.getServletPath();
resp.setHeader("X-Frame-Options", "SAMEORIGIN");
resp.setHeader("Content-Security-Policy", "default-src 'self'");
resp.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
resp.setHeader("X-XSS-Protection", "1; mode=block");
String peerParam = req.getParameter("p");

9
apps/i2psnark/web.xml
View File

@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>org.klomp.snark.web.I2PSnarkServlet</servlet-name>
<servlet-class>org.klomp.snark.web.I2PSnarkServlet</servlet-class>

2
apps/i2ptunnel/jsp/edit.jsp
View File

@ -2,7 +2,7 @@
// NOTE: Do the header carefully so there is no whitespace before the <?xml... line
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8"

2
apps/i2ptunnel/jsp/index.jsp
View File

@ -6,7 +6,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8"

9
apps/i2ptunnel/jsp/web.xml
View File

@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- precompiled servlets -->
<!-- yeah we could do this in a handler but this is easier -->

2
apps/i2ptunnel/jsp/wizard.jsp
View File

@ -6,7 +6,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8"

2
apps/routerconsole/jsp/css.jsi
View File

@ -32,7 +32,7 @@
// clickjacking
if (intl.shouldSendXFrame()) {
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
}

9
apps/susidns/src/WEB-INF/web-template.xml
View File

@ -3,6 +3,15 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<display-name>susidns</display-name>
<!-- precompiled servlets -->

2
apps/susidns/src/jsp/config.jsp
View File

@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>

2
apps/susidns/src/jsp/details.jsp
View File

@ -25,7 +25,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>

2
apps/susidns/src/jsp/index.jsp
View File

@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>

2
apps/susidns/src/jsp/subscriptions.jsp
View File

@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>

9
apps/susimail/src/WEB-INF/web.xml
View File

@ -3,6 +3,15 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<display-name>susimail</display-name>
<servlet>
<servlet-name>SusiMail</servlet-name>

2
apps/susimail/src/src/i2p/susi/webmail/WebMail.java
View File

@ -1562,7 +1562,7 @@ public class WebMail extends HttpServlet
httpRequest.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
RequestWrapper request = new RequestWrapper( httpRequest );

2
router/java/src/net/i2p/router/RouterVersion.java
View File

@ -18,7 +18,7 @@ public class RouterVersion {
/** deprecated */
public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION;
public final static long BUILD = 20;
public final static long BUILD = 21;
/** for example "-test" */
public final static String EXTRA = "-rc";