Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable content security policy by default #1031

Merged
merged 39 commits into from Jul 14, 2021
Merged

Enable content security policy by default #1031

merged 39 commits into from Jul 14, 2021

Conversation

evernat
Copy link
Member

@evernat evernat commented Jul 12, 2021

based on #966 by @candrews

candrews and others added 30 commits April 5, 2021 21:36
@candrews @evernat
lightwindow.js: use about:blank instead of javascript:false
0f5346c 
about:blank works for all browsers and doesn't use inline javascript
therefore doesn't violate a content security policy which prohibits
inline script.
@candrews @evernat
resizable_tables.js: don't use innerHTML
e977532 
innerHTML is unsafe; use document.createElement to create elements then
set attributes on them.
@candrews @evernat
RUM Injector: don't use inline script to run BOOMR.init
25b6a6b 
Move the BOOMR.init call to boomerang.min.js and include
boomerang.min.js using a script tag.
Use attributes on the script tag to pass necessary data to the script
which is used to call BOOMR.init.
@candrews @evernat
Only run PROBLEMATIC_ATTRIBUTE_READING check if IE
efcc55b 
Avoid a CSP inline script violation.

See: prototypejs/prototype#320
@candrews @evernat
Eliminate all inline script and styles
f838f8e 
Move all inline CSS and inline Javascript to monitoring.css and
monitoring.js
@candrews @evernat
Remove no longer used methods
ca49860 
Since no javascript is dynamically generated, methods to escape
javascript are no longer necessary or used.
@candrews @evernat
Add a configuration option for CSP header (enabled by default)
641bd2f
@candrews @evernat
In the database reports, fix the dropdown that selects the report
4ec6a83
@candrews @evernat
Don't showHide twice
6b0e459
@candrews @evernat
Don't allow floating elements on either side of .chapterTitle
323aff9
@candrews @evernat
In HtmlMBeansReport, move inline CSS to .css file
d82da83
@candrews @evernat
Fix HtmlReport.toHtml to call the correct htmlCoreReport.toHtml overload
434af40
@candrews @evernat
Fix typo in '.alertAndRedirect' handler resulting in alerts not working
a08a099
@candrews @evernat
Remove redundant alertDialogAndRedirect - use alertAndRedirect
f75a0a1
@candrews @evernat
Reset "part" portion of URL when doing alertAndRedirect
a11f31b
@candrews @evernat
Load request graphs on hover, not on page load
637a161
@candrews @evernat
Handle single ' and double " quotes when HTML encoding
7623fae
@candrews @evernat
Alert the message for required messages
6ebefff
@candrews @evernat
Add DOCTYPE and required js to the collector page
5cb4e2a
@candrews @evernat
Fix required message for appName and appUrls html form fields
d232d2c
@candrews @evernat
Use prototype's $ function to wrap dom elements
b201bb5 
The $$ is used to select elements by CSS selector only
@candrews @evernat
Have Collector Server service resources
3dfbb80
@candrews @evernat
CollectorController.showAlertAndRedirectTo should return a full, vali…
a5b35f1 
…d HTML page
@candrews @evernat
Fix single and double quote HTML escaping
e2f01f2 
`#` cannot be used because it's used to indicate message keys to lookup.
So instead use alternative representations that don't use `#`
@evernat
Merge branch 'master' into content-security-policy
ae11ef3
@evernat
Merge branch 'master' into content-security-policy
daa8d3d
@evernat
remove duplicate
b7190c6
@evernat
remove duplicate
cd82307
@evernat
Merge branch 'master' into content-security-policy
249af8a
@evernat
accents
7b4a48f
@evernat evernat merged commit c76db17 into master Jul 14, 2021
@evernat evernat deleted the content-security-policy branch July 14, 2021 22:02
goldyliang pushed a commit to goldyliang/javamelody that referenced this pull request Mar 17, 2022
@evernat
Enable content security policy by default (javamelody#1031)
8a7481b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@evernat @candrews