<% /* * This should be included inside ..., * as it sets the stylesheet. * * This is included almost 30 times, so keep whitespace etc. to a minimum. */ // http://www.crazysquirrel.com/computing/general/form-encoding.jspx if (request.getCharacterEncoding() == null) request.setCharacterEncoding("UTF-8"); // Now that we use POST for most forms, these prevent the back button from working after a form submit // Just let the browser do its thing //response.setHeader("Pragma", "no-cache"); //response.setHeader("Cache-Control","no-cache"); //response.setDateHeader("Expires", 0); // the above will b0rk if the servlet engine has already flushed // the response prior to including this file, so it should be // near the top String i2pcontextId = request.getParameter("i2p.contextId"); try { if (i2pcontextId != null) { session.setAttribute("i2p.contextId", i2pcontextId); } else { i2pcontextId = (String) session.getAttribute("i2p.contextId"); } } catch (IllegalStateException ise) {} %> <% response.setHeader("Accept-Ranges", "none"); String cspNonce = Integer.toHexString(net.i2p.util.RandomSource.getInstance().nextInt()); // clickjacking if (intl.shouldSendXFrame()) { response.setHeader("X-Frame-Options", "SAMEORIGIN"); // unsafe-inline is a fallback for browsers not supporting nonce // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'nonce-" + cspNonce + "'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'"); } response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); response.setHeader("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture(), fullscreen=(self), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), vibrate=(), vr=()"); // https://www.w3.org/TR/referrer-policy/ // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy // As of Chrome 56, Firefox 50, Opera 43. "same-origin" not widely supported. response.setHeader("Referrer-Policy", "no-referrer"); String conNonceParam = request.getParameter("consoleNonce"); if (net.i2p.router.web.CSSHelper.getNonce().equals(conNonceParam)) { intl.setLang(request.getParameter("lang")); intl.setNews(request.getParameter("news")); intl.setTheme(request.getParameter("theme")); } // used several times below String theUserAgent = request.getHeader("User-Agent"); String theThemePath = intl.getTheme(theUserAgent); %> <% String curlang = intl.getLang(); if (curlang.equals("zh")) { // make the fonts bigger for chinese %> <% } else if (curlang.equals("ar") || curlang.equals("fa")) { // Use RTL theme for Arabic and Persian %> <% } if (!intl.allowIFrame(theUserAgent)) { %> <% } %>