Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt a Content Security Policy #242

Merged
merged 46 commits into from
Jul 11, 2023
Merged

Adopt a Content Security Policy #242

merged 46 commits into from
Jul 11, 2023

Commits on Jun 25, 2023

  1. Add CSP header

    @dfabulich
    dfabulich committed Jun 25, 2023
    Configuration menu
    Copy the full SHA
    068a997 View commit details
    Browse the repository at this point in the history

  2. add a bunch of nonces

    @dfabulich
    dfabulich committed Jun 25, 2023
    Configuration menu
    Copy the full SHA
    f48c025 View commit details
    Browse the repository at this point in the history

  3. convert onload to script

    @dfabulich
    dfabulich committed Jun 25, 2023
    Configuration menu
    Copy the full SHA
    02d2689 View commit details
    Browse the repository at this point in the history

  4. remove calls to eval

    @dfabulich
    dfabulich committed Jun 25, 2023
    Configuration menu
    Copy the full SHA
    6cc63f2 View commit details
    Browse the repository at this point in the history

  5. add nonce to recaptcha script

    @dfabulich
    dfabulich committed Jun 25, 2023
    Configuration menu
    Copy the full SHA
    e0fdefc View commit details
    Browse the repository at this point in the history

Commits on Jul 9, 2023

  1. remove inline event handlers: checkbox

    @dfabulich
    dfabulich committed Jul 9, 2023
    Configuration menu
    Copy the full SHA
    e21cda9 View commit details
    Browse the repository at this point in the history

  2. remove inline event handlers: combobox

    @dfabulich
    dfabulich committed Jul 9, 2023
    Configuration menu
    Copy the full SHA
    fbde321 View commit details
    Browse the repository at this point in the history

  3. remove inline event handlers: captcha

    @dfabulich
    dfabulich committed Jul 9, 2023
    Configuration menu
    Copy the full SHA
    6b017ec View commit details
    Browse the repository at this point in the history

  4. remove inline event handlers: commentutil reveal plonk

    @dfabulich
    dfabulich committed Jul 9, 2023
    Configuration menu
    Copy the full SHA
    aeac4b2 View commit details
    Browse the repository at this point in the history

  5. remove inline event handlers: delgame reveal search popup

    @dfabulich
    dfabulich committed Jul 9, 2023
    Configuration menu
    Copy the full SHA
    7c22831 View commit details
    Browse the repository at this point in the history

  6. remove inline event handlers: editclub

    @dfabulich
    dfabulich committed Jul 9, 2023
    Configuration menu
    Copy the full SHA
    7e3c8b9 View commit details
    Browse the repository at this point in the history

Commits on Jul 10, 2023

  1. remove inline event handlers: editcomp (gridform refactor) 

    This one was especially tricky, because editcomp makes heavy use of gridform, which generates HTML in JS as a string and then injects it with innerHTML. There's no way to attach <script> tags with innerHTML, even if the <script> contains the appropriate nonces.

So, to refactor, I added a new hook for gridform, activateListeners, designed to re-activate event handlers for all of the gridform generated HTML, and moved all event handlers in there.

This was especially painful for comboboxes, because I had to manually re-attach equivalent event listeners on all of the generated comboboxes.
    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    106161b View commit details
    Browse the repository at this point in the history

  2. remove inline event handlers: editgame (gridform refactor)

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    13ed857 View commit details
    Browse the repository at this point in the history

  3. remove inline event handlers: editlist (gridform refactor)

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    0593d04 View commit details
    Browse the repository at this point in the history

  4. remove inline event handlers: editprofile (comment only)

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    fd0e994 View commit details
    Browse the repository at this point in the history

  5. remove inline event handlers: gamesearchpopup

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    ec738d2 View commit details
    Browse the repository at this point in the history

  6. remove inline event handlers: gridform.js

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    a7b4f77 View commit details
    Browse the repository at this point in the history

  7. remove inline event handlers: help-review-votes

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    848efc5 View commit details
    Browse the repository at this point in the history

  8. remove inline event handlers: ifarchive-upload

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    38911af View commit details
    Browse the repository at this point in the history

  9. remove inline event handlers: imageUpload

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    2edf655 View commit details
    Browse the repository at this point in the history

  10. remove inline event handlers: imageuploadhandler.php

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    1181c83 View commit details
    Browse the repository at this point in the history

  11. remove inline event handlers: news.php

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    6bfe953 View commit details
    Browse the repository at this point in the history

  12. remove inline event handlers: newuser

    @dfabulich
    dfabulich committed Jul 10, 2023
    Configuration menu
    Copy the full SHA
    afee62c View commit details
    Browse the repository at this point in the history

Commits on Jul 11, 2023

  1. remove inline event handlers: personal (comment only)

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    d900546 View commit details
    Browse the repository at this point in the history

  2. remove inline event handlers: poll

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    f3bbc74 View commit details
    Browse the repository at this point in the history

  3. remove inline event handlers: profilelink.php

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    4bfc3ac View commit details
    Browse the repository at this point in the history

  4. remove inline event handlers: recaptchalib.php (remove unused function)

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    ceae7a7 View commit details
    Browse the repository at this point in the history

  5. remove inline event handlers: review

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    a857dc3 View commit details
    Browse the repository at this point in the history

  6. remove inline event handlers: reviews.php

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    63302dd View commit details
    Browse the repository at this point in the history

  7. remove inline event handlers: reviewunflag

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    7b6c6af View commit details
    Browse the repository at this point in the history

  8. remove inline event handlers: search

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    5218981 View commit details
    Browse the repository at this point in the history

  9. remove inline event handlers: showuser (comment only)

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    b147dc7 View commit details
    Browse the repository at this point in the history

  10. remove inline event handlers: starctl.php

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    9cf847e View commit details
    Browse the repository at this point in the history

  11. fix editing stylepics

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    8de78b2 View commit details
    Browse the repository at this point in the history

  12. remove inline event handlers: stylepics

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    0df5945 View commit details
    Browse the repository at this point in the history

  13. remove inline event handlers: t3join, t3run, t3servers (untested)

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    87b1940 View commit details
    Browse the repository at this point in the history

  14. remove inline event handlers: useractivation.php

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    01acf2e View commit details
    Browse the repository at this point in the history

  15. remove inline event handlers: ifdb-recommends.php (comment only)

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    5f38965 View commit details
    Browse the repository at this point in the history

  16. Fix spoilers in reviews

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    9127e2a View commit details
    Browse the repository at this point in the history

  17. remove inline event handlers: viewgame

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    7a60679 View commit details
    Browse the repository at this point in the history

  18. Replace all helpWinHRef calls with helpWinLink

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    b99c492 View commit details
    Browse the repository at this point in the history

  19. remove inline event handlers: util.php winHelpLink

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    55c730c View commit details
    Browse the repository at this point in the history

  20. Forbid script-src-attr

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    2f9ecd7 View commit details
    Browse the repository at this point in the history

  21. Fix gridform Move Up / Move Down buttons

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    571ffe5 View commit details
    Browse the repository at this point in the history

  22. Remove dependency on mb_strlen, not enabled on prod machines

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    aa74070 View commit details
    Browse the repository at this point in the history

  23. Allow script from google.com to fix recaptcha

    @dfabulich
    dfabulich committed Jul 11, 2023
    Configuration menu
    Copy the full SHA
    2f0d7f2 View commit details
    Browse the repository at this point in the history