Permalink
Browse files

Merge pull request #2 from sirdarckcat/isolate-scripts

Replace CSP support with Isolated Scripts
  • Loading branch information...
sirdarckcat committed Jan 22, 2017
2 parents fc5161d + 6f3e2f3 commit dfcbf458cc1e598dbea923092d23a77b69b6a7ce
Showing with 41 additions and 31 deletions.
  1. +6 −0 app.yaml
  2. +5 −2 guestbook.py
  3. +2 −29 index.html
  4. +28 −0 js/app.js
View
@@ -1,6 +1,7 @@
runtime: python27
api_version: 1
threadsafe: true
default_expiration: "0"
# [START handlers]
handlers:
@@ -11,6 +12,11 @@ handlers:
- url: /bootstrap
static_dir: bootstrap
- url: /js
static_dir: js
http_headers:
Isolated-Script: "true"
- url: /tasks/.*
script: guestbook.app
login: admin
View
@@ -81,20 +81,23 @@ def get(self):
template_values = {
'user': user,
'guestbook_name': urllib.quote_plus(guestbook_name),
'guestbook_name': guestbook_name,
'url': url,
'url_linktext': url_linktext,
'nonce': nonce,
}
template = JINJA_ENVIRONMENT.get_template('index.html')
self.response.headers.add("Content-Security-Policy","script-src 'nonce-%s'; object-src 'none'"%nonce)
self.response.headers.add("X-XSS-Protection","0")
self.response.headers.add("Set-Cookie","__isolatedScript-foo=1;httpOnly;secure")
self.response.write(template.render(template_values))
# [END main_page]
# [START guestbook]
class Guestbook(webapp2.RequestHandler):
def get(self):
if not self.request.cookies.get('__isolatedScript-foo'):
return
guestbook_name = self.request.get('guestbook_name',
DEFAULT_GUESTBOOK_NAME)
greetings_query = Greeting.query(
View
@@ -1,5 +1,5 @@
<!DOCTYPE html>
{% autoescape true %}
{% autoescape false %}
<html>
<head>
<!-- [START css] -->
@@ -70,34 +70,7 @@
<a href="{{ url|safe }}">{{ url_linktext }}</a>
</div>
<script nonce="{{ nonce }}">
var submit = document.getElementById("gbsubmit");
var name = document.getElementById("gbname");
var form = document.getElementById("gbform");
var row = document.getElementById("gbrow");
var rows = [];
var table = row.parentNode;
function updateGuestbook() {
var url = "?guestbook_name="+encodeURIComponent(gbname.value);
submit.elements.guestbook_name.value = gbname.value;
history.pushState(null, "", url);
// Remove old rows.
rows.forEach(r=>r.parentNode.removeChild(r));
rows=[];
fetch("/guestbook" + url, {credentials: "include"}).then(r=>r.json()).then(j=>{
j.forEach(m=>{
var elem = table.insertBefore(row.cloneNode(true), table.firstChild);
rows.push(elem);
// Note this is an XSS.
elem.getElementsByTagName("blockquote")[0].innerHTML=m.content;
});
}).catch(e=>{
alert("Error loading guestbook comments");
});
return false;
}
gbform.onsubmit = window.onload = updateGuestbook;
</script>
<script src="js/app.js"></script>
</body>
</html>
{% endautoescape %}
View
@@ -0,0 +1,28 @@
var submit = document.getElementById("gbsubmit");
var name = document.getElementById("gbname");
var form = document.getElementById("gbform");
var row = document.getElementById("gbrow");
var rows = [];
var table = row.parentNode;
function updateGuestbook() {
var url = "?guestbook_name="+encodeURIComponent(gbname.value);
submit.elements.guestbook_name.value = gbname.value;
history.pushState(null, "", url);
// Remove old rows.
rows.forEach(r=>r.parentNode.removeChild(r));
rows=[];
fetch("/guestbook" + url, {credentials: "include"}).then(r=>r.json()).then(j=>{
j.forEach(m=>{
var elem = table.insertBefore(row.cloneNode(true), table.firstChild);
rows.push(elem);
// Note this is an XSS.
elem.getElementsByTagName("blockquote")[0].innerHTML=m.content;
});
}).catch(e=>{
alert("Error loading guestbook comments");
});
return false;
}
gbform.onsubmit = updateGuestbook;
setTimeout(updateGuestbook, 1);

0 comments on commit dfcbf45

Please sign in to comment.