forked from I2P_Developers/i2p.i2p
Console: Add X-Content-Type-Options header everywhere (ticket #1763)
This commit is contained in:
@ -378,7 +378,7 @@ class BasicServlet extends HttpServlet
|
|||||||
{
|
{
|
||||||
if (content.getContentType()!=null && response.getContentType()==null)
|
if (content.getContentType()!=null && response.getContentType()==null)
|
||||||
response.setContentType(content.getContentType());
|
response.setContentType(content.getContentType());
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
long lml = content.getLastModified();
|
long lml = content.getLastModified();
|
||||||
if (lml > 0)
|
if (lml > 0)
|
||||||
response.setDateHeader("Last-Modified",lml);
|
response.setDateHeader("Last-Modified",lml);
|
||||||
@ -394,7 +394,6 @@ class BasicServlet extends HttpServlet
|
|||||||
long ct = content.getCacheTime();
|
long ct = content.getCacheTime();
|
||||||
if (ct>=0)
|
if (ct>=0)
|
||||||
response.setHeader("Cache-Control", "public, max-age=" + ct);
|
response.setHeader("Cache-Control", "public, max-age=" + ct);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* ------------------------------------------------------------ */
|
/* ------------------------------------------------------------ */
|
||||||
|
|||||||
@ -379,6 +379,7 @@ public class I2PSnarkServlet extends BasicServlet {
|
|||||||
resp.setHeader("Pragma", "no-cache");
|
resp.setHeader("Pragma", "no-cache");
|
||||||
resp.setHeader("X-Frame-Options", "SAMEORIGIN");
|
resp.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||||
resp.setHeader("X-XSS-Protection", "1; mode=block");
|
resp.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
resp.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
}
|
}
|
||||||
|
|
||||||
private void writeMessages(PrintWriter out, boolean isConfigure, String peerString) throws IOException {
|
private void writeMessages(PrintWriter out, boolean isConfigure, String peerString) throws IOException {
|
||||||
|
|||||||
@ -5,6 +5,7 @@
|
|||||||
// edit pages need script for the delete button 'are you sure'
|
// edit pages need script for the delete button 'are you sure'
|
||||||
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
|
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
|
||||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
|
|
||||||
%><%@page pageEncoding="UTF-8"
|
%><%@page pageEncoding="UTF-8"
|
||||||
%><%@page trimDirectiveWhitespaces="true"
|
%><%@page trimDirectiveWhitespaces="true"
|
||||||
|
|||||||
@ -8,6 +8,7 @@
|
|||||||
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||||
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
||||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
|
|
||||||
%><%@page pageEncoding="UTF-8"
|
%><%@page pageEncoding="UTF-8"
|
||||||
%><%@page trimDirectiveWhitespaces="true"
|
%><%@page trimDirectiveWhitespaces="true"
|
||||||
|
|||||||
@ -8,6 +8,7 @@
|
|||||||
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||||
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
||||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
|
|
||||||
%><%@page pageEncoding="UTF-8"
|
%><%@page pageEncoding="UTF-8"
|
||||||
%><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
|
%><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
|
||||||
|
|||||||
@ -166,6 +166,7 @@ public class IdenticonServlet extends HttpServlet {
|
|||||||
|
|
||||||
// return image bytes to requester
|
// return image bytes to requester
|
||||||
response.setContentType(IDENTICON_IMAGE_MIMETYPE);
|
response.setContentType(IDENTICON_IMAGE_MIMETYPE);
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
response.setContentLength(imageBytes.length);
|
response.setContentLength(imageBytes.length);
|
||||||
response.getOutputStream().write(imageBytes);
|
response.getOutputStream().write(imageBytes);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -191,6 +191,7 @@ public class QRServlet extends HttpServlet {
|
|||||||
|
|
||||||
// return image bytes to requester
|
// return image bytes to requester
|
||||||
response.setContentType(IDENTICON_IMAGE_MIMETYPE);
|
response.setContentType(IDENTICON_IMAGE_MIMETYPE);
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
response.setContentLength(imageBytes.length);
|
response.setContentLength(imageBytes.length);
|
||||||
response.getOutputStream().write(imageBytes);
|
response.getOutputStream().write(imageBytes);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -62,6 +62,7 @@ public class RandomArtServlet extends HttpServlet {
|
|||||||
response.setContentType("text/plain");
|
response.setContentType("text/plain");
|
||||||
response.setCharacterEncoding("UTF-8");
|
response.setCharacterEncoding("UTF-8");
|
||||||
}
|
}
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
buf.append(RandomArt.gnutls_key_fingerprint_randomart(h.getData(), "SHA", 256, "", true, html));
|
buf.append(RandomArt.gnutls_key_fingerprint_randomart(h.getData(), "SHA", 256, "", true, html));
|
||||||
if (html)
|
if (html)
|
||||||
buf.append("</body></html>");
|
buf.append("</body></html>");
|
||||||
|
|||||||
@ -41,6 +41,7 @@ public class CodedIconRendererServlet extends HttpServlet {
|
|||||||
//set as many headers as are common to any outcome
|
//set as many headers as are common to any outcome
|
||||||
|
|
||||||
srs.setContentType("image/png");
|
srs.setContentType("image/png");
|
||||||
|
srs.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
srs.setDateHeader("Expires", I2PAppContext.getGlobalContext().clock().now() + 86400000l);
|
srs.setDateHeader("Expires", I2PAppContext.getGlobalContext().clock().now() + 86400000l);
|
||||||
srs.setHeader("Cache-Control", "public, max-age=86400");
|
srs.setHeader("Cache-Control", "public, max-age=86400");
|
||||||
OutputStream os = srs.getOutputStream();
|
OutputStream os = srs.getOutputStream();
|
||||||
|
|||||||
@ -34,6 +34,7 @@
|
|||||||
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||||
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
|
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
|
||||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
}
|
}
|
||||||
|
|
||||||
String conNonceParam = request.getParameter("consoleNonce");
|
String conNonceParam = request.getParameter("consoleNonce");
|
||||||
|
|||||||
@ -31,7 +31,8 @@ if (c != null &&
|
|||||||
response.setDateHeader("Last-Modified", lastmod);
|
response.setDateHeader("Last-Modified", lastmod);
|
||||||
// cache for a day
|
// cache for a day
|
||||||
response.setDateHeader("Expires", net.i2p.I2PAppContext.getGlobalContext().clock().now() + 86400000l);
|
response.setDateHeader("Expires", net.i2p.I2PAppContext.getGlobalContext().clock().now() + 86400000l);
|
||||||
response.setHeader("Cache-Control", "public, max-age=86400");
|
response.setHeader("Cache-Control", "public, max-age=604800");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
}
|
}
|
||||||
long length = ffile.length();
|
long length = ffile.length();
|
||||||
if (length > 0)
|
if (length > 0)
|
||||||
|
|||||||
@ -7,6 +7,7 @@
|
|||||||
* Do not tag this file for translation.
|
* Do not tag this file for translation.
|
||||||
*/
|
*/
|
||||||
response.setContentType("text/plain");
|
response.setContentType("text/plain");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
String base = net.i2p.I2PAppContext.getGlobalContext().getBaseDir().getAbsolutePath();
|
String base = net.i2p.I2PAppContext.getGlobalContext().getBaseDir().getAbsolutePath();
|
||||||
try {
|
try {
|
||||||
net.i2p.util.FileUtil.readFile("history.txt", base, response.getOutputStream());
|
net.i2p.util.FileUtil.readFile("history.txt", base, response.getOutputStream());
|
||||||
|
|||||||
@ -35,6 +35,7 @@ if ( !rendered && ((rs != null) || fakeBw) ) {
|
|||||||
if ( (rate != null) || (fakeBw) ) {
|
if ( (rate != null) || (fakeBw) ) {
|
||||||
java.io.OutputStream cout = response.getOutputStream();
|
java.io.OutputStream cout = response.getOutputStream();
|
||||||
String format = request.getParameter("format");
|
String format = request.getParameter("format");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
if ("xml".equals(format)) {
|
if ("xml".equals(format)) {
|
||||||
if (!fakeBw) {
|
if (!fakeBw) {
|
||||||
response.setContentType("text/xml");
|
response.setContentType("text/xml");
|
||||||
|
|||||||
@ -21,6 +21,7 @@ if (uri.endsWith(".css")) {
|
|||||||
} else if (uri.endsWith(".svg")) {
|
} else if (uri.endsWith(".svg")) {
|
||||||
response.setContentType("image/svg+xml");
|
response.setContentType("image/svg+xml");
|
||||||
}
|
}
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
/*
|
/*
|
||||||
* User or plugin themes
|
* User or plugin themes
|
||||||
* If the request is for /themes/console/foo/bar/baz,
|
* If the request is for /themes/console/foo/bar/baz,
|
||||||
|
|||||||
@ -8,6 +8,7 @@
|
|||||||
if (request.getParameter("i2p.contextId") != null) {
|
if (request.getParameter("i2p.contextId") != null) {
|
||||||
session.setAttribute("i2p.contextId", request.getParameter("i2p.contextId"));
|
session.setAttribute("i2p.contextId", request.getParameter("i2p.contextId"));
|
||||||
}
|
}
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
%>
|
%>
|
||||||
<jsp:useBean class="net.i2p.router.web.CSSHelper" id="intl" scope="request" />
|
<jsp:useBean class="net.i2p.router.web.CSSHelper" id="intl" scope="request" />
|
||||||
<jsp:setProperty name="intl" property="contextId" value="<%=(String)session.getAttribute(\"i2p.contextId\")%>" />
|
<jsp:setProperty name="intl" property="contextId" value="<%=(String)session.getAttribute(\"i2p.contextId\")%>" />
|
||||||
|
|||||||
@ -30,6 +30,7 @@
|
|||||||
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||||
response.setHeader("Content-Security-Policy", "default-src 'self'");
|
response.setHeader("Content-Security-Policy", "default-src 'self'");
|
||||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
|
|
||||||
%>
|
%>
|
||||||
<%@page pageEncoding="UTF-8"%>
|
<%@page pageEncoding="UTF-8"%>
|
||||||
|
|||||||
@ -30,6 +30,7 @@
|
|||||||
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||||
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
||||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
|
|
||||||
%>
|
%>
|
||||||
<%@page pageEncoding="UTF-8"%>
|
<%@page pageEncoding="UTF-8"%>
|
||||||
|
|||||||
@ -27,6 +27,7 @@
|
|||||||
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||||
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
||||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
|
|
||||||
%>
|
%>
|
||||||
<%@page pageEncoding="UTF-8"%>
|
<%@page pageEncoding="UTF-8"%>
|
||||||
|
|||||||
@ -23,6 +23,7 @@
|
|||||||
// http://www.crazysquirrel.com/computing/general/form-encoding.jspx
|
// http://www.crazysquirrel.com/computing/general/form-encoding.jspx
|
||||||
if (request.getCharacterEncoding() == null)
|
if (request.getCharacterEncoding() == null)
|
||||||
request.setCharacterEncoding("UTF-8");
|
request.setCharacterEncoding("UTF-8");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
%>
|
%>
|
||||||
<%@page pageEncoding="UTF-8"%>
|
<%@page pageEncoding="UTF-8"%>
|
||||||
<%@page trimDirectiveWhitespaces="true"%>
|
<%@page trimDirectiveWhitespaces="true"%>
|
||||||
|
|||||||
@ -30,6 +30,7 @@
|
|||||||
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||||
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
||||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
|
|
||||||
%>
|
%>
|
||||||
<%@page pageEncoding="UTF-8"%>
|
<%@page pageEncoding="UTF-8"%>
|
||||||
|
|||||||
@ -30,6 +30,7 @@
|
|||||||
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||||
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
|
||||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
|
|
||||||
%>
|
%>
|
||||||
<%@page pageEncoding="UTF-8"%>
|
<%@page pageEncoding="UTF-8"%>
|
||||||
|
|||||||
@ -1593,6 +1593,7 @@ public class WebMail extends HttpServlet
|
|||||||
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
response.setHeader("X-Frame-Options", "SAMEORIGIN");
|
||||||
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
|
response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
|
||||||
response.setHeader("X-XSS-Protection", "1; mode=block");
|
response.setHeader("X-XSS-Protection", "1; mode=block");
|
||||||
|
response.setHeader("X-Content-Type-Options", "nosniff");
|
||||||
RequestWrapper request = new RequestWrapper( httpRequest );
|
RequestWrapper request = new RequestWrapper( httpRequest );
|
||||||
|
|
||||||
SessionObject sessionObject = null;
|
SessionObject sessionObject = null;
|
||||||
|
|||||||
Reference in New Issue
Block a user