From 64ec0708a1404e1f39a5fdc0131c89b2e4038bee Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 21 Feb 2016 02:51:27 +0100
Subject: More work for CSP, in particular install

Install needs testing.
https://github.com/FreshRSS/FreshRSS/issues/1075
---
 app/install.php | 92 ++++++---------------------------------------------------
 1 file changed, 9 insertions(+), 83 deletions(-)

(limited to 'app/install.php')

diff --git a/app/install.php b/app/install.php
index 7ac1c4cec..03f6e2199 100644
--- a/app/install.php
+++ b/app/install.php
@@ -616,27 +616,6 @@ function printStep1() {
 		<a class="btn btn-attention next-step confirm" data-str-confirm="<?php echo _t('install.js.confirm_reinstall'); ?>" href="?step=2" tabindex="2" ><?php echo _t('install.action.reinstall'); ?></a>
 	</form>
 
-	<script>
-		function ask_confirmation(e) {
-			var str_confirmation = this.getAttribute('data-str-confirm');
-			if (!str_confirmation) {
-				str_confirmation = "<?php echo _t('gen.js.confirm_action'); ?>";
-			}
-
-			if (!confirm(str_confirmation)) {
-				e.preventDefault();
-			}
-		}
-
-		function init_confirm() {
-			confirms = document.getElementsByClassName('confirm');
-			for (var i = 0 ; i < confirms.length ; i++) {
-				confirms[i].addEventListener('click', ask_confirmation);
-			}
-		}
-
-		init_confirm();
-	</script>
 	<?php } elseif ($res['all'] == 'ok') { ?>
 	<a class="btn btn-important next-step" href="?step=2" tabindex="1" ><?php echo _t('install.action.next_step'); ?></a>
 	<?php } else { ?>
@@ -674,7 +653,7 @@ function printStep2() {
 		<div class="form-group">
 			<label class="group-name" for="auth_type"><?php echo _t('install.auth.type'); ?></label>
 			<div class="group-controls">
-				<select id="auth_type" name="auth_type" required="required" onchange="auth_type_change(true)" tabindex="4">
+				<select id="auth_type" name="auth_type" required="required" tabindex="4">
 					<?php
 						function no_auth($auth_type) {
 							return !in_array($auth_type, array('form', 'persona', 'http_auth', 'none'));
@@ -709,48 +688,6 @@ function printStep2() {
 			</div>
 		</div>
 
-		<script>
-			function show_password() {
-				var button = this;
-				var passwordField = document.getElementById(button.getAttribute('data-toggle'));
-				passwordField.setAttribute('type', 'text');
-				button.className += ' active';
-
-				return false;
-			}
-			function hide_password() {
-				var button = this;
-				var passwordField = document.getElementById(button.getAttribute('data-toggle'));
-				passwordField.setAttribute('type', 'password');
-				button.className = button.className.replace(/(?:^|\s)active(?!\S)/g , '');
-
-				return false;
-			}
-			toggles = document.getElementsByClassName('toggle-password');
-			for (var i = 0 ; i < toggles.length ; i++) {
-				toggles[i].addEventListener('mousedown', show_password);
-				toggles[i].addEventListener('mouseup', hide_password);
-			}
-
-			function auth_type_change() {
-				var auth_value = document.getElementById('auth_type').value,
-				    password_input = document.getElementById('passwordPlain'),
-				    mail_input = document.getElementById('mail_login');
-
-				if (auth_value === 'form') {
-					password_input.required = true;
-					mail_input.required = false;
-				} else if (auth_value === 'persona') {
-					password_input.required = false;
-					mail_input.required = true;
-				} else {
-					password_input.required = false;
-					mail_input.required = false;
-				}
-			}
-			auth_type_change();
-		</script>
-
 		<div class="form-group form-actions">
 			<div class="group-controls">
 				<button type="submit" class="btn btn-important" tabindex="7" ><?php echo _t('gen.action.submit'); ?></button>
@@ -778,7 +715,7 @@ function printStep3() {
 		<div class="form-group">
 			<label class="group-name" for="type"><?php echo _t('install.bdd.type'); ?></label>
 			<div class="group-controls">
-				<select name="type" id="type" onchange="mySqlShowHide()" tabindex="1" >
+				<select name="type" id="type" tabindex="1">
 				<?php if (extension_loaded('pdo_mysql')) {?>
 				<option value="mysql"
 					<?php echo(isset($_SESSION['bd_type']) && $_SESSION['bd_type'] === 'mysql') ? 'selected="selected"' : ''; ?>>
@@ -831,19 +768,6 @@ function printStep3() {
 			</div>
 		</div>
 		</div>
-		<script>
-			function mySqlShowHide() {
-				document.getElementById('mysql').style.display = document.getElementById('type').value === 'mysql' ? 'block' : 'none';
-				if (document.getElementById('type').value !== 'mysql') {
-					document.getElementById('host').value = '';
-					document.getElementById('user').value = '';
-					document.getElementById('pass').value = '';
-					document.getElementById('base').value = '';
-					document.getElementById('prefix').value = '';
-				}
-			}
-			mySqlShowHide();
-		</script>
 
 		<div class="form-group form-actions">
 			<div class="group-controls">
@@ -897,13 +821,15 @@ case 5:
 }
 ?>
 <!DOCTYPE html>
-<html lang="fr">
+<html>
 	<head>
-		<meta charset="utf-8">
-		<meta name="viewport" content="initial-scale=1.0">
+		<meta charset="UTF-8" />
+		<meta name="viewport" content="initial-scale=1.0" />
 		<title><?php echo _t('install.title'); ?></title>
-		<link rel="stylesheet" type="text/css" media="all" href="../themes/base-theme/template.css" />
-		<link rel="stylesheet" type="text/css" media="all" href="../themes/Origine/origine.css" />
+		<link rel="stylesheet" href="../themes/base-theme/template.css?<?php echo @filemtime(PUBLIC_PATH . '/themes/base-theme/template.css'); ?>" />
+		<link rel="stylesheet" href="../themes/Origine/origine.css?<?php echo @filemtime(PUBLIC_PATH . '/themes/Origine/origine.css'); ?>" />
+		<script src="../scripts/install.js?<?php echo @filemtime(PUBLIC_PATH . '/scripts/install.js'); ?>"></script>
+		<meta name="robots" content="noindex,nofollow" />
 	</head>
 	<body>
 
-- 
cgit v1.2.3


From 38c2d671e3480b8e9fb38491797e44fdea317006 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 21 Feb 2016 21:25:23 +0100
Subject: CSP different policies per controller

https://github.com/FreshRSS/FreshRSS/issues/1075
---
 app/FreshRSS.php | 14 ++++++++++----
 app/install.php  |  1 +
 2 files changed, 11 insertions(+), 4 deletions(-)

(limited to 'app/install.php')

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 62ea18d96..bfbd7a6eb 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -111,10 +111,16 @@ class FreshRSS extends Minz_FrontController {
 	}
 
 	public static function preLayout() {
-		if (Minz_Request::controllerName() === 'stats') {
-			header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
-		} else {
-			header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+		switch (Minz_Request::controllerName()) {
+			case 'index':
+				header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+				break;
+			case 'stats':
+				header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
+				break;
+			default:
+				header("Content-Security-Policy: default-src 'self'");
+				break;
 		}
 	}
 
diff --git a/app/install.php b/app/install.php
index 03f6e2199..a4a888af2 100644
--- a/app/install.php
+++ b/app/install.php
@@ -2,6 +2,7 @@
 if (function_exists('opcache_reset')) {
 	opcache_reset();
 }
+header("Content-Security-Policy: default-src 'self'");
 
 define('BCRYPT_COST', 9);
 
-- 
cgit v1.2.3


From 995cf58d249c6a2ddfd042cc5b509914295c882f Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 28 Feb 2016 00:08:57 +0100
Subject: CSP bug in install script

https://github.com/FreshRSS/FreshRSS/issues/1075
---
 app/install.php      | 2 +-
 p/scripts/install.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'app/install.php')

diff --git a/app/install.php b/app/install.php
index a4a888af2..80e85354d 100644
--- a/app/install.php
+++ b/app/install.php
@@ -829,7 +829,6 @@ case 5:
 		<title><?php echo _t('install.title'); ?></title>
 		<link rel="stylesheet" href="../themes/base-theme/template.css?<?php echo @filemtime(PUBLIC_PATH . '/themes/base-theme/template.css'); ?>" />
 		<link rel="stylesheet" href="../themes/Origine/origine.css?<?php echo @filemtime(PUBLIC_PATH . '/themes/Origine/origine.css'); ?>" />
-		<script src="../scripts/install.js?<?php echo @filemtime(PUBLIC_PATH . '/scripts/install.js'); ?>"></script>
 		<meta name="robots" content="noindex,nofollow" />
 	</head>
 	<body>
@@ -877,5 +876,6 @@ case 5:
 		?>
 	</div>
 </div>
+	<script src="../scripts/install.js?<?php echo @filemtime(PUBLIC_PATH . '/scripts/install.js'); ?>"></script>
 	</body>
 </html>
diff --git a/p/scripts/install.js b/p/scripts/install.js
index 52d8bf8e0..9a49e6031 100644
--- a/p/scripts/install.js
+++ b/p/scripts/install.js
@@ -42,7 +42,7 @@ function auth_type_change() {
 var auth_type = document.getElementById('auth_type');
 if (auth_type) {
 	auth_type_change();
-	auth_type_change.addEventListener('change', auth_type_change);
+	auth_type.addEventListener('change', auth_type_change);
 }
 
 function mySqlShowHide() {
-- 
cgit v1.2.3