i2p.i2p/apps/routerconsole/jsp/css.jsi

<%
   /*
    * This should be included inside <head>...</head>,
    * as it sets the stylesheet.
    *
    * This is included almost 30 times, so keep whitespace etc. to a minimum.
    */

   // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
   if (request.getCharacterEncoding() == null)
       request.setCharacterEncoding("UTF-8");

   // Now that we use POST for most forms, these prevent the back button from working after a form submit
   // Just let the browser do its thing
   //response.setHeader("Pragma", "no-cache");
   //response.setHeader("Cache-Control","no-cache");
   //response.setDateHeader("Expires", 0);

   // the above will b0rk if the servlet engine has already flushed
   // the response prior to including this file, so it should be
   // near the top

   String i2pcontextId = request.getParameter("i2p.contextId");
   try {
       if (i2pcontextId != null) {
           session.setAttribute("i2p.contextId", i2pcontextId);
       } else {
           i2pcontextId = (String) session.getAttribute("i2p.contextId");
       }
   } catch (IllegalStateException ise) {}

%><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<jsp:useBean class="net.i2p.router.web.CSSHelper" id="intl" scope="request" />
<jsp:setProperty name="intl" property="contextId" value="<%=i2pcontextId%>" /><%

   response.setHeader("Accept-Ranges", "none");

   String cspNonce = Integer.toHexString(net.i2p.util.RandomSource.getInstance().nextInt());

   // clickjacking
   if (intl.shouldSendXFrame()) {
      response.setHeader("X-Frame-Options", "SAMEORIGIN");
      // unsafe-inline is a fallback for browsers not supporting nonce
      // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
      // we need unsafe-inline for the /netdb SVG
      if ("/netdb.jsp".equals(request.getServletPath()))
          response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
      else
          response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'nonce-" + cspNonce + "'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
   }
   response.setHeader("X-XSS-Protection", "1; mode=block");
   response.setHeader("X-Content-Type-Options", "nosniff");
   response.setHeader("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), fullscreen=(self), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), vibrate=(), vr=()");
   // https://www.w3.org/TR/referrer-policy/
   // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
   // As of Chrome 56, Firefox 50, Opera 43. "same-origin" not widely supported.
   response.setHeader("Referrer-Policy", "no-referrer");

   String conNonceParam = request.getParameter("consoleNonce");
   if (net.i2p.router.web.CSSHelper.getNonce().equals(conNonceParam)) {
       intl.setLang(request.getParameter("lang"));
       intl.setNews(request.getParameter("news"));
       intl.setTheme(request.getParameter("theme"));
   }
   // used several times below
   String theUserAgent = request.getHeader("User-Agent");
   String theThemePath = intl.getTheme(theUserAgent);
%><link rel="icon" href="<%=theThemePath%>images/favicon.ico">
<link id="pagestyle" href="<%=theThemePath%>console.css?<%=net.i2p.CoreVersion.VERSION%>" rel="stylesheet" type="text/css">
<%
   String curlang = intl.getLang();
   if (curlang.equals("zh") || curlang.equals("gan")) {
       // make the fonts bigger for chinese
%><link href="<%=theThemePath%>console_big.css?<%=net.i2p.CoreVersion.VERSION%>" rel="stylesheet" type="text/css">
<%
   } else if (curlang.equals("ar") || curlang.equals("fa")) {
       // Use RTL theme for Arabic and Persian
%><link href="<%=theThemePath%>console_ar.css?<%=net.i2p.CoreVersion.VERSION%>" rel="stylesheet" type="text/css">
<%
   }
   if (!intl.allowIFrame(theUserAgent)) {
%><meta name="viewport" content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" />
<link href="<%=theThemePath%>mobile.css?<%=net.i2p.CoreVersion.VERSION%>" rel="stylesheet" type="text/css">
<%
   }
%>
* Console: - Move the console css from default.css in the .war to docs/themes/console/console.css, and support console themes in the main console with routerconsole.theme=foo 2009-06-11 18:05:05 +00:00			`<%`
			`/*`
			`* This should be included inside <head>...</head>,`
			`* as it sets the stylesheet.`
* Console: - Put favicon on every page - Make every page UTF-8 2009-08-20 14:35:32 +00:00			`*`
			`* This is included almost 30 times, so keep whitespace etc. to a minimum.`
* Console: - Move the console css from default.css in the .war to docs/themes/console/console.css, and support console themes in the main console with routerconsole.theme=foo 2009-06-11 18:05:05 +00:00			`*/`

* I2CP: Fix the SessionConfig serializer in DataHelper, so that UTF-8 tunnel names are not corrupted by I2CP and can be displayed on the console * Fix UTF-8 form submission on console and i2ptunnel 2009-08-20 22:22:07 +00:00			`// http://www.crazysquirrel.com/computing/general/form-encoding.jspx`
			`if (request.getCharacterEncoding() == null)`
			`request.setCharacterEncoding("UTF-8");`

remove cache directives 2011-03-19 18:34:39 +00:00			`// Now that we use POST for most forms, these prevent the back button from working after a form submit`
			`// Just let the browser do its thing`
			`//response.setHeader("Pragma", "no-cache");`
			`//response.setHeader("Cache-Control","no-cache");`
			`//response.setDateHeader("Expires", 0);`

* Console: - Move the console css from default.css in the .war to docs/themes/console/console.css, and support console themes in the main console with routerconsole.theme=foo 2009-06-11 18:05:05 +00:00			`// the above will b0rk if the servlet engine has already flushed`
HTML bugfixes in routerconsole pages. 2009-08-15 16:08:33 +00:00			`// the response prior to including this file, so it should be`
* Console: - Move the console css from default.css in the .war to docs/themes/console/console.css, and support console themes in the main console with routerconsole.theme=foo 2009-06-11 18:05:05 +00:00			`// near the top`
HTML bugfixes in routerconsole pages. 2009-08-15 16:08:33 +00:00
Console: Catch ISE in get/setAttribute() (ticket #1529) 2018-07-28 19:03:01 +00:00			`String i2pcontextId = request.getParameter("i2p.contextId");`
			`try {`
			`if (i2pcontextId != null) {`
			`session.setAttribute("i2p.contextId", i2pcontextId);`
			`} else {`
			`i2pcontextId = (String) session.getAttribute("i2p.contextId");`
			`}`
			`} catch (IllegalStateException ise) {}`
Console: Only call getTheme() once 2020-05-02 10:38:37 +00:00
jsi whitespace removal 2018-11-13 17:48:58 +00:00			`%><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">`
- Rename cssHelper to intl for ease of tagging - configui.jsp post-prop fixup 2009-10-23 13:55:44 +00:00			`<jsp:useBean class="net.i2p.router.web.CSSHelper" id="intl" scope="request" />`
Console: Only call getTheme() once 2020-05-02 10:38:37 +00:00			`<jsp:setProperty name="intl" property="contextId" value="<%=i2pcontextId%>" /><%`

Servlets: Add Accept-Ranges headers 2018-03-09 16:02:00 +00:00			`response.setHeader("Accept-Ranges", "none");`

Console, webapps: CSP improvements i2ptunnel, susidns: Add headers.jsi Console: Remove onload and use nonce for inline scripts where able Version remaining js links 2019-12-25 12:18:00 +00:00			`String cspNonce = Integer.toHexString(net.i2p.util.RandomSource.getInstance().nextInt());`

add X-Frame-Options to console headers 2012-05-13 13:05:17 +00:00			`// clickjacking`
* Console: - Fix several XSS issues (thx Aaron Portnoy of Exodus Intel) - Add Content-Security-Policy and X-XSS-Protection headers - Disable changing news feed URL from UI - Disable plugin install from UI - Disable setting unsigned update URL from UI - Disable /configadvanced * DataHelper: Disallow \r in storeProps() (thx joernchen of Phenoelit) * ExecNamingService: Disable (thx joernchen of Phenoelit) * Startup: Add susimail.config to migrated files 2014-07-26 09:32:26 +00:00			`if (intl.shouldSendXFrame()) {`
add X-Frame-Options to console headers 2012-05-13 13:05:17 +00:00			`response.setHeader("X-Frame-Options", "SAMEORIGIN");`
Console, webapps: CSP improvements i2ptunnel, susidns: Add headers.jsi Console: Remove onload and use nonce for inline scripts where able Version remaining js links 2019-12-25 12:18:00 +00:00			`// unsafe-inline is a fallback for browsers not supporting nonce`
			`// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src`
Console: Add world map with locations of routers and tunnels 2025-04-08 12:56:04 +00:00			`// we need unsafe-inline for the /netdb SVG`
			`if ("/netdb.jsp".equals(request.getServletPath()))`
			`response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");`
			`else`
			`response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'nonce-" + cspNonce + "'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");`
* Console: - Fix several XSS issues (thx Aaron Portnoy of Exodus Intel) - Add Content-Security-Policy and X-XSS-Protection headers - Disable changing news feed URL from UI - Disable plugin install from UI - Disable setting unsigned update URL from UI - Disable /configadvanced * DataHelper: Disallow \r in storeProps() (thx joernchen of Phenoelit) * ExecNamingService: Disable (thx joernchen of Phenoelit) * Startup: Add susimail.config to migrated files 2014-07-26 09:32:26 +00:00			`}`
Console: Add preliminary Permissions-Policy header other places TODO 2021-06-18 09:58:57 -04:00			`response.setHeader("X-XSS-Protection", "1; mode=block");`
			`response.setHeader("X-Content-Type-Options", "nosniff");`
Console: Fix typo in Permissions-Policy header causing Chrome to complain 2024-06-26 11:45:29 -04:00			`response.setHeader("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), fullscreen=(self), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), vibrate=(), vr=()");`
Console: Add Referrer-Policy header 2016-12-23 12:35:41 +00:00			`// https://www.w3.org/TR/referrer-policy/`
			`// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy`
			`// As of Chrome 56, Firefox 50, Opera 43. "same-origin" not widely supported.`
			`response.setHeader("Referrer-Policy", "no-referrer");`
add X-Frame-Options to console headers 2012-05-13 13:05:17 +00:00
* Console: - Parameterize download button tags (ticket #425) - Clean up summary bar HTML warnings - Just display a summary bar link for text browsers - Move welcome div from the readme files to index.jsp - Require a nonce to change language 2011-03-08 03:07:02 +00:00			`String conNonceParam = request.getParameter("consoleNonce");`
lint core, console, i2ptunnel, jetty 2015-10-17 17:38:57 +00:00			`if (net.i2p.router.web.CSSHelper.getNonce().equals(conNonceParam)) {`
* Console: - Parameterize download button tags (ticket #425) - Clean up summary bar HTML warnings - Just display a summary bar link for text browsers - Move welcome div from the readme files to index.jsp - Require a nonce to change language 2011-03-08 03:07:02 +00:00			`intl.setLang(request.getParameter("lang"));`
* Console: Add ability to hide news 2011-11-09 18:38:39 +00:00			`intl.setNews(request.getParameter("news"));`
Console: Add js to /configui to preview themes Save theme change before form processing so no refresh required Enable/disable reset and apply buttons on config clicks Prep for theme picker in wizard 2021-09-30 09:55:35 -04:00			`intl.setTheme(request.getParameter("theme"));`
* Console: - Parameterize download button tags (ticket #425) - Clean up summary bar HTML warnings - Just display a summary bar link for text browsers - Move welcome div from the readme files to index.jsp - Require a nonce to change language 2011-03-08 03:07:02 +00:00			`}`
Console: Add js to /configui to preview themes Save theme change before form processing so no refresh required Enable/disable reset and apply buttons on config clicks Prep for theme picker in wizard 2021-09-30 09:55:35 -04:00			`// used several times below`
			`String theUserAgent = request.getHeader("User-Agent");`
			`String theThemePath = intl.getTheme(theUserAgent);`
			`%><link rel="icon" href="<%=theThemePath%>images/favicon.ico">`
			`<link id="pagestyle" href="<%=theThemePath%>console.css?<%=net.i2p.CoreVersion.VERSION%>" rel="stylesheet" type="text/css">`
* Console: - Don't hide link to configui.jsp for IE any more - Add lang selection on configui.jsp - Tag strings in configui.jsp - Load console_big.css if lang == zh - Add _x() tag for static iniitializers - HTML transitional input tags 2009-10-22 22:25:53 +00:00			`<%`
Console: Use RTL CSS for Persian thx drzed 2023-11-02 15:24:08 -04:00			`String curlang = intl.getLang();`
Add complete Gan Chinese translation 2024-11-26 12:15:32 -05:00			`if (curlang.equals("zh") \|\| curlang.equals("gan")) {`
* Fixes after review: - Fix Polish po file - Install as a service by default on Windows again - Change CPUID getters to package private - Split new jbigi install messages into two lines - Javadocs 2011-06-26 19:07:01 +00:00			`// make the fonts bigger for chinese`
Console: Only call getTheme() once 2020-05-02 10:38:37 +00:00			`%><link href="<%=theThemePath%>console_big.css?<%=net.i2p.CoreVersion.VERSION%>" rel="stylesheet" type="text/css">`
* Console: - Don't hide link to configui.jsp for IE any more - Add lang selection on configui.jsp - Tag strings in configui.jsp - Load console_big.css if lang == zh - Add _x() tag for static iniitializers - HTML transitional input tags 2009-10-22 22:25:53 +00:00			`<%`
Console: Use RTL CSS for Persian thx drzed 2023-11-02 15:24:08 -04:00			`} else if (curlang.equals("ar") \|\| curlang.equals("fa")) {`
			`// Use RTL theme for Arabic and Persian`
Console: Only call getTheme() once 2020-05-02 10:38:37 +00:00			`%><link href="<%=theThemePath%>console_ar.css?<%=net.i2p.CoreVersion.VERSION%>" rel="stylesheet" type="text/css">`
Fixed up mobile view of routerconsole with a mobile.css in each theme 2013-01-19 03:42:54 +00:00			`<%`
			`}`
Console: Only call getTheme() once 2020-05-02 10:38:37 +00:00			`if (!intl.allowIFrame(theUserAgent)) {`
jsi whitespace removal 2018-11-13 17:48:58 +00:00			`%><meta name="viewport" content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" />`
Console: Only call getTheme() once 2020-05-02 10:38:37 +00:00			`<link href="<%=theThemePath%>mobile.css?<%=net.i2p.CoreVersion.VERSION%>" rel="stylesheet" type="text/css">`
Fixed RTL bug in console: Arabic is displayed with right aligned text using a custom console_ar.css 2011-06-20 16:27:58 +00:00			`<%`
			`}`
fix missing classic icons from imagegen css/index, removed classic reference ie-compatability from css.jsi 2020-08-24 17:15:40 +00:00			`%>`