echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CSP to allow inline style and refresh

Browse Source 
Add filter to all webapps
This commit is contained in:
zzz
2014-07-26 11:01:16 +00:00
parent 99401c5639
commit 4746d9eb80
16 changed files with 56 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
apps/addressbook/web.xml
View File

@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd"> "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app> <web-app>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet> <servlet>
<servlet-name>addressbook</servlet-name> <servlet-name>addressbook</servlet-name>
<servlet-class>net.i2p.addressbook.Servlet</servlet-class> <servlet-class>net.i2p.addressbook.Servlet</servlet-class>

2
apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
View File

@ -159,7 +159,7 @@ public class I2PSnarkServlet extends BasicServlet {
// this is the part after /i2psnark // this is the part after /i2psnark
String path = req.getServletPath(); String path = req.getServletPath();
resp.setHeader("X-Frame-Options", "SAMEORIGIN"); resp.setHeader("X-Frame-Options", "SAMEORIGIN");
resp.setHeader("Content-Security-Policy", "default-src 'self'"); resp.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
resp.setHeader("X-XSS-Protection", "1; mode=block"); resp.setHeader("X-XSS-Protection", "1; mode=block");
String peerParam = req.getParameter("p"); String peerParam = req.getParameter("p");

9
apps/i2psnark/web.xml
View File

@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd"> "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app> <web-app>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet> <servlet>
<servlet-name>org.klomp.snark.web.I2PSnarkServlet</servlet-name> <servlet-name>org.klomp.snark.web.I2PSnarkServlet</servlet-name>
<servlet-class>org.klomp.snark.web.I2PSnarkServlet</servlet-class> <servlet-class>org.klomp.snark.web.I2PSnarkServlet</servlet-class>

2
apps/i2ptunnel/jsp/edit.jsp
View File

@ -2,7 +2,7 @@
// NOTE: Do the header carefully so there is no whitespace before the <?xml... line // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
response.setHeader("X-Frame-Options", "SAMEORIGIN"); response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'"); response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8" %><%@page pageEncoding="UTF-8"

2
apps/i2ptunnel/jsp/index.jsp
View File

@ -6,7 +6,7 @@
request.setCharacterEncoding("UTF-8"); request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN"); response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'"); response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8" %><%@page pageEncoding="UTF-8"

9
apps/i2ptunnel/jsp/web.xml
View File

@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd"> "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app> <web-app>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- precompiled servlets --> <!-- precompiled servlets -->
<!-- yeah we could do this in a handler but this is easier --> <!-- yeah we could do this in a handler but this is easier -->

2
apps/i2ptunnel/jsp/wizard.jsp
View File

@ -6,7 +6,7 @@
request.setCharacterEncoding("UTF-8"); request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN"); response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'"); response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8" %><%@page pageEncoding="UTF-8"

2
apps/routerconsole/jsp/css.jsi
View File

@ -32,7 +32,7 @@
// clickjacking // clickjacking
if (intl.shouldSendXFrame()) { if (intl.shouldSendXFrame()) {
response.setHeader("X-Frame-Options", "SAMEORIGIN"); response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'"); response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-XSS-Protection", "1; mode=block");
} }

9
apps/susidns/src/WEB-INF/web-template.xml
View File

@ -3,6 +3,15 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd"> "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app> <web-app>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<display-name>susidns</display-name> <display-name>susidns</display-name>
<!-- precompiled servlets --> <!-- precompiled servlets -->

2
apps/susidns/src/jsp/config.jsp
View File

@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8"); request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN"); response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'"); response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-XSS-Protection", "1; mode=block");
%> %>

2
apps/susidns/src/jsp/details.jsp
View File

@ -25,7 +25,7 @@
request.setCharacterEncoding("UTF-8"); request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN"); response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'"); response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-XSS-Protection", "1; mode=block");
%> %>

2
apps/susidns/src/jsp/index.jsp
View File

@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8"); request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN"); response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'"); response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-XSS-Protection", "1; mode=block");
%> %>

2
apps/susidns/src/jsp/subscriptions.jsp
View File

@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8"); request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN"); response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'"); response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-XSS-Protection", "1; mode=block");
%> %>

9
apps/susimail/src/WEB-INF/web.xml
View File

@ -3,6 +3,15 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd"> "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app> <web-app>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<display-name>susimail</display-name> <display-name>susimail</display-name>
<servlet> <servlet>
<servlet-name>SusiMail</servlet-name> <servlet-name>SusiMail</servlet-name>

2
apps/susimail/src/src/i2p/susi/webmail/WebMail.java
View File

@ -1562,7 +1562,7 @@ public class WebMail extends HttpServlet
httpRequest.setCharacterEncoding("UTF-8"); httpRequest.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8"); response.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN"); response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'"); response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-XSS-Protection", "1; mode=block");
RequestWrapper request = new RequestWrapper( httpRequest ); RequestWrapper request = new RequestWrapper( httpRequest );

2
router/java/src/net/i2p/router/RouterVersion.java
View File

@ -18,7 +18,7 @@ public class RouterVersion {
/** deprecated */ /** deprecated */
public final static String ID = "Monotone"; public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION; public final static String VERSION = CoreVersion.VERSION;
public final static long BUILD = 20; public final static long BUILD = 21;
/** for example "-test" */ /** for example "-test" */
public final static String EXTRA = "-rc"; public final static String EXTRA = "-rc";