Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | When rendering the default header via TH1, allow the default Content-Security-Policy content to be overridden via the 'default_csp' variable. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | dynamicCsp |
| Files: | files | file ages | folders |
| SHA3-256: |
0fe4c7d97377e56a8665d678a869bde9 |
| User & Date: | mistachkin 2019-02-15 20:51:10 |
Context
|
2019-02-17
| ||
| 05:32 | Merge updates from trunk. check-in: cb881aab user: mistachkin tags: dynamicCsp | |
|
2019-02-15
| ||
| 20:51 | When rendering the default header via TH1, allow the default Content-Security-Policy content to be overridden via the 'default_csp' variable. check-in: 0fe4c7d9 user: mistachkin tags: dynamicCsp | |
|
2019-02-08
| ||
| 13:28 | Update the built-in SQLite to version 3.27.1. check-in: cf6682b1 user: drh tags: trunk | |
Changes
Changes to src/style.c.
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
...
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
|
** header template lacks a <body> tag, then all of the following is ** prepended. */ static char zDfltHeader[] = @ <html> @ <head> @ <base href="$baseurl/$current_page" /> @ <meta http-equiv="Content-Security-Policy" \ @ content="default-src 'self' data: ; \ @ script-src 'self' 'nonce-$<nonce>' ;\ @ style-src 'self' 'unsafe-inline'" /> @ <meta name="viewport" content="width=device-width, initial-scale=1.0"> @ <title>$<project_name>: $<title></title> @ <link rel="alternate" type="application/rss+xml" title="RSS Feed" \ @ href="$home/timeline.rss" /> @ <link rel="stylesheet" href="$stylesheet_url" type="text/css" \ @ media="screen" /> @ </head> ................................................................................ @ <body> ; /* ** Initialize all the default TH1 variables */ static void style_init_th1_vars(const char *zTitle){ Th_Store("nonce", style_nonce()); Th_Store("project_name", db_get("project-name","Unnamed Fossil Project")); Th_Store("project_description", db_get("project-description","")); if( zTitle ) Th_Store("title", zTitle); Th_Store("baseurl", g.zBaseURL); Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL); Th_Store("home", g.zTop); Th_Store("index_page", db_get("index-page","/home")); if( local_zCurrentPage==0 ) style_set_current_page("%T", g.zPath); Th_Store("current_page", local_zCurrentPage); Th_Store("csrf_token", g.zCsrfToken); Th_Store("release_version", RELEASE_VERSION); Th_Store("manifest_version", MANIFEST_VERSION); |
|
<
<
<
>
>
>
>
>
|
>
>
|
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
...
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
|
** header template lacks a <body> tag, then all of the following is ** prepended. */ static char zDfltHeader[] = @ <html> @ <head> @ <base href="$baseurl/$current_page" /> @ <meta http-equiv="Content-Security-Policy" content="$default_csp" /> @ <meta name="viewport" content="width=device-width, initial-scale=1.0"> @ <title>$<project_name>: $<title></title> @ <link rel="alternate" type="application/rss+xml" title="RSS Feed" \ @ href="$home/timeline.rss" /> @ <link rel="stylesheet" href="$stylesheet_url" type="text/css" \ @ media="screen" /> @ </head> ................................................................................ @ <body> ; /* ** Initialize all the default TH1 variables */ static void style_init_th1_vars(const char *zTitle){ const char *zNonce = style_nonce(); char *zDfltCsp = sqlite3_mprintf("default-src 'self' data: ; " "script-src 'self' 'nonce-%s' ; " "style-src 'self' 'unsafe-inline'", zNonce); Th_Store("nonce", zNonce); Th_Store("project_name", db_get("project-name","Unnamed Fossil Project")); Th_Store("project_description", db_get("project-description","")); if( zTitle ) Th_Store("title", zTitle); Th_Store("baseurl", g.zBaseURL); Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL); Th_Store("default_csp", zDfltCsp); sqlite3_free(zDfltCsp); Th_Store("home", g.zTop); Th_Store("index_page", db_get("index-page","/home")); if( local_zCurrentPage==0 ) style_set_current_page("%T", g.zPath); Th_Store("current_page", local_zCurrentPage); Th_Store("csrf_token", g.zCsrfToken); Th_Store("release_version", RELEASE_VERSION); Th_Store("manifest_version", MANIFEST_VERSION); |
Changes to www/customskin.md.
231 232 233 234 235 236 237 238 239 240 241 242 243 244 |
specified by the Admin/Configuration setup page.
* **current_page** - The name of the page currently being processed,
without the leading "/" and without query parameters.
Examples: "timeline", "doc/trunk/README.txt", "wiki".
* **csrf_token** - A token used to prevent cross-site request forgery.
* **release_version** - The release version of Fossil. Ex: "1.31"
* **manifest_version** - A prefix on the check-in hash of the
specific version of fossil that is running. Ex: "\[47bb6432a1\]"
* **manifest_date** - The date of the source-code check-in for the
|
> > > |
231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 |
specified by the Admin/Configuration setup page.
* **current_page** - The name of the page currently being processed,
without the leading "/" and without query parameters.
Examples: "timeline", "doc/trunk/README.txt", "wiki".
* **csrf_token** - A token used to prevent cross-site request forgery.
* **default_csp** - The content to be used within the default header
for the "Content-Security-Policy" meta tag.
* **release_version** - The release version of Fossil. Ex: "1.31"
* **manifest_version** - A prefix on the check-in hash of the
specific version of fossil that is running. Ex: "\[47bb6432a1\]"
* **manifest_date** - The date of the source-code check-in for the
|