Console, webapps: CSP improvements

i2ptunnel, susidns: Add headers.jsi
Console: Remove onload and use nonce for inline scripts where able
Version remaining js links

apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java

@@ -414,7 +414,7 @@ public class I2PSnarkServlet extends BasicServlet {
         resp.setContentType("text/html; charset=UTF-8");
         // "no-store, max-age=0" forces all our images to be reloaded on ajax refresh
         resp.setHeader("Cache-Control", "max-age=86400, no-cache, must-revalidate");
-        resp.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
+        resp.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'");
         resp.setDateHeader("Expires", 86400);
         resp.setHeader("Pragma", "no-cache");
         resp.setHeader("X-Frame-Options", "SAMEORIGIN");

apps/i2ptunnel/jsp/edit.jsp

@@ -3,7 +3,7 @@
 
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
     // edit pages need script for the delete button 'are you sure'
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
     response.setHeader("X-Content-Type-Options", "nosniff");
     response.setHeader("Referrer-Policy", "no-referrer");

apps/i2ptunnel/jsp/headers.jsi

@@ -0,0 +1,15 @@
+<%
+    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
+
+    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
+    if (request.getCharacterEncoding() == null)
+        request.setCharacterEncoding("UTF-8");
+
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'none'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
+    response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
+    response.setHeader("Referrer-Policy", "no-referrer");
+    response.setHeader("Accept-Ranges", "none");
+
+%>

apps/i2ptunnel/jsp/index.jsp

@@ -1,17 +1,4 @@
-<%
+<%@include file="headers.jsi"
-    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
-
-    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
-    if (request.getCharacterEncoding() == null)
-        request.setCharacterEncoding("UTF-8");
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
 %><%@page pageEncoding="UTF-8"
 %><%@page trimDirectiveWhitespaces="true"
 %><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.IndexBean"

apps/i2ptunnel/jsp/register.jsp

@@ -1,13 +1,4 @@
-<%
+<%@include file="headers.jsi"
-    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
 %><%@page pageEncoding="UTF-8"
 %><%@page contentType="text/html" import="java.io.InputStream,net.i2p.i2ptunnel.web.EditBean,net.i2p.servlet.RequestWrapper,net.i2p.client.I2PSessionException,net.i2p.client.naming.HostTxtEntry,net.i2p.data.PrivateKeyFile,net.i2p.data.SigningPrivateKey,net.i2p.util.OrderedProperties"
 %><%@page

apps/i2ptunnel/jsp/ssl.jsp

@@ -1,13 +1,4 @@
-<%
+<%@include file="headers.jsi"
-    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
 %><%@page pageEncoding="UTF-8"
 %><%@page contentType="text/html" import="java.io.File,java.io.IOException,net.i2p.crypto.KeyStoreUtil,net.i2p.data.DataHelper,net.i2p.jetty.JettyXmlConfigurationParser"
 %><%@page

apps/i2ptunnel/jsp/wizard.jsp

@@ -1,17 +1,4 @@
-<%
+<%@include file="headers.jsi"
-    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
-
-    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
-    if (request.getCharacterEncoding() == null)
-        request.setCharacterEncoding("UTF-8");
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
 %><%@page pageEncoding="UTF-8"
 %><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
 %><?xml version="1.0" encoding="UTF-8"?>

apps/jetty/java/src/net/i2p/servlet/ErrorServlet.java

@@ -90,7 +90,7 @@ public class ErrorServlet extends HttpServlet {
         resp.setDateHeader("Expires", 0);
         resp.setHeader("Cache-Control", "no-store, max-age=0, no-cache, must-revalidate");
         resp.setHeader("Pragma", "no-cache");
-        resp.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'none'");
+        resp.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'none'; form-action 'none'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
         Integer ERROR_CODE = (Integer) req.getAttribute("javax.servlet.error.status_code");
         String ERROR_URI = (String) req.getAttribute("javax.servlet.error.request_uri");
         String ERROR_MESSAGE = (String) req.getAttribute("javax.servlet.error.message");
@@ -114,6 +114,7 @@ public class ErrorServlet extends HttpServlet {
              ERROR_URI.endsWith(".ico") ||
              ERROR_URI.endsWith(".svg") ||
              ERROR_URI.endsWith(".txt") ||
+             ERROR_URI.endsWith(".js") ||
              ERROR_URI.endsWith(".css"))) {
             // keep it simple
             resp.setContentType("text/plain");

apps/routerconsole/jsp/certs.jsp

@@ -5,9 +5,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("Certificates")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %><h1><%=intl._t("Certificates")%></h1>
 <div class="main" id="certs">
 <jsp:useBean class="net.i2p.router.web.helpers.CertHelper" id="certhelper" scope="request" />

apps/routerconsole/jsp/config.jsp

@@ -2,16 +2,12 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("configure bandwidth")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigNetHelper" id="nethelper" scope="request" />
 <jsp:setProperty name="nethelper" property="contextId" value="<%=i2pcontextId%>" />
 <h1><%=intl._t("I2P Bandwidth Configuration")%></h1>

apps/routerconsole/jsp/configadvanced.jsp

@@ -2,16 +2,12 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config advanced")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigAdvancedHelper" id="advancedhelper" scope="request" />
 <jsp:setProperty name="advancedhelper" property="contextId" value="<%=i2pcontextId%>" />
 

apps/routerconsole/jsp/configclients.jsp

@@ -1,9 +1,9 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("config clients")%>
 <style type='text/css'>
 button span.hide{
@@ -11,12 +11,9 @@ button span.hide{
 }
 input.default { width: 1px; height: 1px; visibility: hidden; }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigClientsHelper" id="clientshelper" scope="request" />
 <jsp:setProperty name="clientshelper" property="contextId" value="<%=i2pcontextId%>" />
 <jsp:setProperty name="clientshelper" property="edit" value="<%=request.getParameter(\"edit\")%>" />

apps/routerconsole/jsp/configfamily.jsp

@@ -1,16 +1,12 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config router family")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigFamilyHelper" id="familyHelper" scope="request" />
 <jsp:setProperty name="familyHelper" property="contextId" value="<%=i2pcontextId%>" />
 <h1><%=intl._t("I2P Router Family Configuration")%></h1>

apps/routerconsole/jsp/confighome.jsp

@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config home")%>
@@ -12,10 +11,8 @@ input.default {
     visibility: hidden;
 }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Home Page Configuration")%></h1>
 <div class="main" id="config_homepage">

apps/routerconsole/jsp/configi2cp.jsp

@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config clients")%>
@@ -11,12 +10,9 @@ button span.hide{
 }
 input.default { width: 1px; height: 1px; visibility: hidden; }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigClientsHelper" id="clientshelper" scope="request" />
 <jsp:setProperty name="clientshelper" property="contextId" value="<%=i2pcontextId%>" />
 <jsp:setProperty name="clientshelper" property="edit" value="<%=request.getParameter(\"edit\")%>" />

apps/routerconsole/jsp/configkeyring.jsp

@@ -1,14 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config keyring")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Keyring Configuration")%></h1>
 <div class="main" id="config_keyring">

apps/routerconsole/jsp/configlogging.jsp

@@ -2,16 +2,13 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config logging")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigLoggingHelper" id="logginghelper" scope="request" />
 <jsp:setProperty name="logginghelper" property="contextId" value="<%=i2pcontextId%>" />
-
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Logging Configuration")%></h1>
 <div class="main" id="config_logging">

apps/routerconsole/jsp/confignet.jsp

@@ -1,16 +1,12 @@
 <%@page contentType="text/html" %>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config networking")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigNetHelper" id="nethelper" scope="request" />
 <jsp:setProperty name="nethelper" property="contextId" value="<%=i2pcontextId%>" />
 <h1><%=intl._t("I2P Network Configuration")%></h1>

apps/routerconsole/jsp/configpeer.jsp

@@ -4,9 +4,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config peers")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Peer Configuration")%></h1>
 <div class="main" id="config_peers">

apps/routerconsole/jsp/configplugins.jsp

@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config plugins")%>
@@ -11,12 +10,9 @@ button span.hide{
 }
 input.default { width: 1px; height: 1px; visibility: hidden; }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigClientsHelper" id="clientshelper" scope="request" />
 <jsp:setProperty name="clientshelper" property="contextId" value="<%=i2pcontextId%>" />
 <jsp:setProperty name="clientshelper" property="edit" value="<%=request.getParameter(\"edit\")%>" />

apps/routerconsole/jsp/configreseed.jsp

@@ -1,16 +1,12 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config reseeding")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigReseedHelper" id="reseedHelper" scope="request" />
 <jsp:setProperty name="reseedHelper" property="contextId" value="<%=i2pcontextId%>" />
 <h1><%=intl._t("I2P Reseeding Configuration")%></h1>

apps/routerconsole/jsp/configservice.jsp

@@ -1,14 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config service")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Service Configuration")%></h1>
 <div class="main" id="config_service">

apps/routerconsole/jsp/configsidebar.jsp

@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config sidebar")%>
@@ -12,10 +11,8 @@ input.default {
     visibility: hidden;
 }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Sidebar Configuration")%></h1>
 <div class="main" id="config_summarybar">

apps/routerconsole/jsp/configstats.jsp

@@ -2,14 +2,13 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("config stats")%>
 <noscript><style type="text/css">.script {display: none;}</style></noscript>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
 function init()
 {
 	checkAll = false;

apps/routerconsole/jsp/configtunnels.jsp

@@ -1,16 +1,12 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config tunnels")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigTunnelsHelper" id="tunnelshelper" scope="request" />
 <jsp:setProperty name="tunnelshelper" property="contextId" value="<%=i2pcontextId%>" />
 <h1><%=intl._t("I2P Tunnel Configuration")%></h1>

apps/routerconsole/jsp/configui.jsp

@@ -2,7 +2,6 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config UI")%>
@@ -13,12 +12,9 @@ input.default {
     visibility: hidden;
 }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigUIHelper" id="uihelper" scope="request" />
 <jsp:setProperty name="uihelper" property="contextId" value="<%=i2pcontextId%>" />
 

apps/routerconsole/jsp/configupdate.jsp

@@ -2,14 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config update")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Update Configuration")%></h1>
 <div class="main" id="config_update">

apps/routerconsole/jsp/configwebapps.jsp

@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("config webapps")%>
@@ -11,12 +10,9 @@ button span.hide{
 }
 input.default { width: 1px; height: 1px; visibility: hidden; }
 </style>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <jsp:useBean class="net.i2p.router.web.helpers.ConfigClientsHelper" id="clientshelper" scope="request" />
 <jsp:setProperty name="clientshelper" property="contextId" value="<%=i2pcontextId%>" />
 <jsp:setProperty name="clientshelper" property="edit" value="<%=request.getParameter(\"edit\")%>" />

apps/routerconsole/jsp/console.jsp

@@ -2,19 +2,15 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("home")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%
     String consoleNonce = net.i2p.router.web.CSSHelper.getNonce();
 %>
-
 <%@include file="summary.jsi" %>
-
 <h1><%=intl._t("I2P Router Console")%></h1>
 <div class="news" id="news">
 <%

apps/routerconsole/jsp/csp-unsafe.jsi

@@ -0,0 +1,4 @@
+<%
+      // Add this AFTER css.jsi if there's any onclick attributes in the page
+      response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
+%>

apps/routerconsole/jsp/css.jsi

@@ -34,10 +34,14 @@
 <link rel="icon" href="<%=intl.getTheme(request.getHeader("User-Agent"))%>images/favicon.ico"><%
    response.setHeader("Accept-Ranges", "none");
 
+   String cspNonce = Integer.toHexString(net.i2p.util.RandomSource.getInstance().nextInt());
+
    // clickjacking
    if (intl.shouldSendXFrame()) {
       response.setHeader("X-Frame-Options", "SAMEORIGIN");
-      response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
+      // unsafe-inline is a fallback for browsers not supporting nonce
+      // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
+      response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'nonce-" + cspNonce + "'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
       response.setHeader("X-XSS-Protection", "1; mode=block");
       response.setHeader("X-Content-Type-Options", "nosniff");
    }

apps/routerconsole/jsp/debug.jsp

@@ -9,9 +9,8 @@
 %>
 <html><head><title>I2P Router Console - Debug</title>
 <%@include file="css.jsi" %>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1>Router Debug</h1>
 <div class="main" id="debug">

apps/routerconsole/jsp/dns.jsp

@@ -21,24 +21,21 @@
     } else {
 %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("addressbook")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
+<script src="/js/iframed.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
-<script src="/js/iframed.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
   function setupFrame() {
       f = document.getElementById("susidnsframe");
       injectClass(f);
       resizeFrame(f);
   }
 </script>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <h1><%=intl._t("I2P Addressbook")%> <span class="newtab"><a href="/susidns/index" target="_blank" title="<%=intl._t("Open in new tab")%>"><img src="<%=intl.getTheme(request.getHeader("User-Agent"))%>images/newtab.png" /></a></span></h1>
 <div class="main" id="dns">
 <iframe src="/susidns/index" width="100%" height="100%" frameborder="0" border="0" name="susidnsframe" id="susidnsframe" onload="setupFrame()" allowtransparency="true">

apps/routerconsole/jsp/error.jsp

@@ -27,9 +27,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("Page Not Found")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=ERROR_CODE%>&nbsp;<%=ERROR_MESSAGE%></h1>
 <div class="sorry" id="warning">

apps/routerconsole/jsp/events.jsp

@@ -2,7 +2,6 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("events")%>
@@ -14,9 +13,8 @@
     eventHelper.storeWriter(out);
     eventHelper.storeMethod(request.getMethod());
 %>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Event Log")%></h1>
 <div class="main" id="events">

apps/routerconsole/jsp/graph.jsp

@@ -1,7 +1,6 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("graphs")%>
@@ -12,9 +11,8 @@
 <%
     graphHelper.storeWriter(out);
 %>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <%
     // needs to be after the summary bar is rendered, so

apps/routerconsole/jsp/graphs.jsp

@@ -2,7 +2,6 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("graphs")%>
@@ -19,9 +18,8 @@
         out.print(graphHelper.getRefreshMeta());
     }
 %>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Performance Graphs")%></h1>
 <div class="main" id="graphs">

apps/routerconsole/jsp/help.jsp

@@ -5,9 +5,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("help")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Router Help and Support")%></h1>
 <div class="main" id="help">

apps/routerconsole/jsp/home.jsp

@@ -4,9 +4,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("home")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%
     String consoleNonce = net.i2p.router.web.CSSHelper.getNonce();
 %>

apps/routerconsole/jsp/i2ptunnelmgr.jsp

@@ -21,14 +21,13 @@
     } else {
 %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("Hidden Services Manager")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
+<script src="/js/iframed.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
-<script src="/js/iframed.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
   function injectClassSpecific(f) {
       var doc = 'contentDocument' in f? f.contentDocument : f.contentWindow.document;
       if (doc.getElementsByClassName == undefined) {
@@ -57,7 +56,7 @@
       resizeFrame(f);
   }
 </script>
-</head><body onload="initAjax()">
+</head><body>
 
 <%@include file="summary.jsi" %>
 

apps/routerconsole/jsp/jars.jsp

@@ -1,13 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("Jar File Dump")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %><h1>Jar File Dump</h1>
 <div class="main" id="jardump">
 <jsp:useBean class="net.i2p.router.web.helpers.FileDumpHelper" id="dumpHelper" scope="request" />

apps/routerconsole/jsp/jobs.jsp

@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("job queue")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %><h1><%=intl._t("I2P Router Job Queue")%></h1>
 <div class="main" id="jobs">
  <jsp:useBean class="net.i2p.router.web.helpers.JobQueueHelper" id="jobQueueHelper" scope="request" />

apps/routerconsole/jsp/logs.jsp

@@ -1,13 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("logs")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Router Logs")%></h1>
 <div class="main" id="logs">

apps/routerconsole/jsp/netdb.jsp

@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("network database")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Network Database")%></h1>
 <div class="main" id="netdb">

apps/routerconsole/jsp/news.jsp

@@ -1,13 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("News")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("Latest News")%></h1>
 <div class="main" id="news">

apps/routerconsole/jsp/nowebapp.jsp

@@ -7,9 +7,8 @@
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("WebApp Not Found")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("Web Application Not Running")%></h1>
 <div class="sorry" id="warning">

apps/routerconsole/jsp/oldconsole.jsp

@@ -9,9 +9,8 @@
 %>
 <html><head><title>I2P Router Console - internals</title>
 <%@include file="css.jsi" %>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <jsp:useBean class="net.i2p.router.web.helpers.OldConsoleHelper" id="conhelper" scope="request" />
 <jsp:setProperty name="conhelper" property="contextId" value="<%=i2pcontextId%>" />

apps/routerconsole/jsp/peers.jsp

@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("peer connections")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Network Peers")%></h1>
 <div class="main" id="peers">

apps/routerconsole/jsp/profiles.jsp

@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("peer profiles")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("I2P Network Peer Profiles")%></h1>
 <div class="main" id="profiles"><div class="wideload">

apps/routerconsole/jsp/proof.jsp

@@ -1,13 +1,11 @@
 <%@page contentType="text/html"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("Proof")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %><h1>Proof of Ownership</h1>
 <div class="main" id="proof"><p>
 <jsp:useBean class="net.i2p.router.web.helpers.ProofHelper" id="proofHelper" scope="request" />

apps/routerconsole/jsp/stats.jsp

@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("statistics")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <jsp:useBean class="net.i2p.router.web.helpers.OldConsoleHelper" id="oldhelper" scope="request" />
 <jsp:setProperty name="oldhelper" property="contextId" value="<%=i2pcontextId%>" />

apps/routerconsole/jsp/summaryajax.jsi

@@ -1,5 +1,7 @@
-<script type="text/javascript">
+<script src="/js/ajax.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" type="text/javascript">
   var failMessage = "<hr><b><%=intl._t("Router is down")%><\/b>";
   function requestAjax1() { ajax("/xhr1.jsp?requestURI=<%=request.getRequestURI()%>", "xhr", <%=intl.getRefresh()%>000); }
   function initAjax() { setTimeout(requestAjax1, <%=intl.getRefresh()%>000);  }
+  initAjax();
 </script>

apps/routerconsole/jsp/torrents.jsp

@@ -22,24 +22,21 @@
     } else {
 %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("torrents")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
+<script src="/js/iframed.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
-<script src="/js/iframed.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
   function setupFrame() {
       f = document.getElementById("i2psnarkframe");
       injectClass(f);
       resizeFrame(f);
   }
 </script>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <h1><%=intl._t("I2P Torrent Manager")%> <span class="newtab"><a href="/i2psnark/" target="_blank" title="<%=intl._t("Open in new tab")%>"><img src="<%=intl.getTheme(request.getHeader("User-Agent"))%>images/newtab.png" /></a></span></h1>
 <div class="main" id="torrents">
 <iframe src="/i2psnark/" width="100%" height="100%" frameborder="0" border="0" name="i2psnarkframe" id="i2psnarkframe" onload="setupFrame()" allowtransparency="true">

apps/routerconsole/jsp/tunnels.jsp

@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("tunnel summary")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %><h1><%=intl._t("I2P Tunnel Summary")%></h1>
 <div class="main" id="tunnels">
  <jsp:useBean class="net.i2p.router.web.helpers.TunnelHelper" id="tunnelHelper" scope="request" />

apps/routerconsole/jsp/viewprofile.jsp

@@ -2,13 +2,11 @@
 <%@page trimDirectiveWhitespaces="true"%>
 <%@page pageEncoding="UTF-8"%>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
 <%=intl.title("Peer Profile")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-</head><body onload="initAjax()">
+</head><body>
 <%@include file="summary.jsi" %>
 <h1><%=intl._t("Peer Profile")%></h1>
 <div class="main" id="view_profile"><div class="wideload">

apps/routerconsole/jsp/webmail.jsp

@@ -22,24 +22,21 @@
     } else {
 %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
 <html><head>
 <%@include file="css.jsi" %>
+<%@include file="csp-unsafe.jsi" %>
 <%=intl.title("webmail")%>
-<script src="/js/ajax.js" type="text/javascript"></script>
+<script src="/js/iframed.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
-<script src="/js/iframed.js" type="text/javascript"></script>
 <%@include file="summaryajax.jsi" %>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
   function setupFrame() {
       f = document.getElementById("susimailframe");
       injectClass(f);
       resizeFrame(f);
   }
 </script>
-</head><body onload="initAjax()">
+</head><body>
-
 <%@include file="summary.jsi" %>
-
 <h1><%=intl._t("I2P Webmail")%> <span class="newtab"><a href="/susimail/" target="_blank" title="<%=intl._t("Open in new tab")%>"><img src="<%=intl.getTheme(request.getHeader("User-Agent"))%>images/newtab.png" /></a></span></h1>
 <div class="main" id="webmail">
 <iframe src="/susimail/" width="100%" height="100%" frameborder="0" border="0" name="susimailframe" id="susimailframe" onload="setupFrame()" allowtransparency="true">

apps/routerconsole/jsp/welcome.jsp

@@ -66,8 +66,8 @@
     wizhelper.setContextId(i2pcontextId);
     if (ipg == 4) {
 %>
-<script src="/js/welcomeajax.js" type="text/javascript"></script>
+<script src="/js/welcomeajax.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
-<script type="text/javascript">
+<script nonce="<%=cspNonce%>" type="text/javascript">
   var failMessage = "<b><%=intl._t("Router is down")%><\/b>";
   var progressMessage = "<b><%=intl._t("Bandwidth test in progress...")%><\/b>";
   var doneMessage = "<b><%=intl._t("Bandwidth test is complete, click Next")%><\/b>";
@@ -76,22 +76,12 @@
      document.getElementById("xhr").innerHTML = progressMessage;
      setTimeout(requestAjax1, "1000");
   }
+  initAjax();
 </script>
 <%
-    }
+    }  // ipg == 4
-%>
-</head>
-<%
-    if (ipg == 4) {
-%>
-<body onload="initAjax()">
-<%
-    } else {
-%>
-<body>
-<%
-    }
 %>
+</head><body>
 <div id="wizard" class="overlay">
 
 <jsp:useBean class="net.i2p.router.web.helpers.WizardHandler" id="formhandler" scope="request" />

apps/susidns/src/jsp/addressbook.jsp

@@ -28,7 +28,7 @@
         request.setCharacterEncoding("UTF-8");
 
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
     response.setHeader("X-Content-Type-Options", "nosniff");
     response.setHeader("Referrer-Policy", "no-referrer");
@@ -57,7 +57,7 @@
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 <title>${book.book} <%=intl._t("address book")%> - susidns</title>
 <link rel="stylesheet" type="text/css" href="<%=book.getTheme()%>susidns.css?<%=net.i2p.CoreVersion.VERSION%>">
-<script src="/js/resetScroll.js" type="text/javascript"></script>
+<script src="/js/resetScroll.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
 </head>
 <body>
 <div class="page">

apps/susidns/src/jsp/config.jsp

@@ -22,19 +22,8 @@
  *
  * $Revision: 1.1 $
  */
-
-    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
-    if (request.getCharacterEncoding() == null)
-        request.setCharacterEncoding("UTF-8");
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
 %>
+<%@include file="headers.jsi" %>
 <%@page pageEncoding="UTF-8"%>
 <%@ page contentType="text/html" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

apps/susidns/src/jsp/details.jsp

@@ -19,19 +19,8 @@
  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  *
  */
-
-    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
-    if (request.getCharacterEncoding() == null)
-        request.setCharacterEncoding("UTF-8");
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
 %>
+<%@include file="headers.jsi" %>
 <%@page pageEncoding="UTF-8"%>
 <%@ page contentType="text/html"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

apps/susidns/src/jsp/headers.jsi

@@ -0,0 +1,12 @@
+<%
+    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
+    if (request.getCharacterEncoding() == null)
+        request.setCharacterEncoding("UTF-8");
+
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
+    response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
+    response.setHeader("Referrer-Policy", "no-referrer");
+    response.setHeader("Accept-Ranges", "none");
+%>

apps/susidns/src/jsp/index.jsp

@@ -28,7 +28,7 @@
         request.setCharacterEncoding("UTF-8");
 
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'none'; form-action 'self'; frame-ancestors 'self'; media-src 'none'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
     response.setHeader("X-Content-Type-Options", "nosniff");
     response.setHeader("Referrer-Policy", "no-referrer");

apps/susidns/src/jsp/subscriptions.jsp

@@ -22,19 +22,8 @@
  *
  * $Revision: 1.2 $
  */
-
-    // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
-    if (request.getCharacterEncoding() == null)
-        request.setCharacterEncoding("UTF-8");
-
-    response.setHeader("X-Frame-Options", "SAMEORIGIN");
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
-    response.setHeader("X-XSS-Protection", "1; mode=block");
-    response.setHeader("X-Content-Type-Options", "nosniff");
-    response.setHeader("Referrer-Policy", "no-referrer");
-    response.setHeader("Accept-Ranges", "none");
-
 %>
+<%@include file="headers.jsi" %>
 <%@page pageEncoding="UTF-8"%>
 <%@ page contentType="text/html"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

apps/susimail/src/src/i2p/susi/webmail/WebMail.java

@@ -2008,7 +2008,7 @@ public class WebMail extends HttpServlet
 		httpRequest.setCharacterEncoding("UTF-8");
 		response.setCharacterEncoding("UTF-8");
                 response.setHeader("X-Frame-Options", "SAMEORIGIN");
-                response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
+                response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
                 response.setHeader("X-XSS-Protection", "1; mode=block");
 		response.setHeader("X-Content-Type-Options", "nosniff");
 		response.setHeader("Referrer-Policy", "no-referrer");