You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2013/06/26 11:01:20 UTC
svn commit: r1496839 - in /myfaces/tobago/trunk:
tobago-example/tobago-example-test/src/main/webapp/WEB-INF/
tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/
tobago-theme/tobago-them...
Author: lofwyr
Date: Wed Jun 26 09:01:20 2013
New Revision: 1496839
URL: http://svn.apache.org/r1496839
Log:
The prevent-frame-attacks now respect CSP
See
TOBAGO-1155: Prevent for Frame Attacks aka Clickjacking
TOBAGO-1171: Support for the Content Security Policy (CSP)
Modified:
myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml
myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/resources/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/style/tobago.css
myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js
Modified: myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml?rev=1496839&r1=1496838&r2=1496839&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml (original)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml Wed Jun 26 09:01:20 2013
@@ -29,6 +29,7 @@
</theme-config>
<resource-dir>tobago-resource</resource-dir>
+ <!-- because this application uses frames -->
<prevent-frame-attacks>false</prevent-frame-attacks>
<!-- uncomment this to enable CSP -->
Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java?rev=1496839&r1=1496838&r2=1496839&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java Wed Jun 26 09:01:20 2013
@@ -180,7 +180,7 @@ public class PageRenderer extends PageRe
} catch (NumberFormatException e) {/* ignore; use default*/ }
}
}
- boolean frameKiller = tobagoConfig.isPreventFrameAttacks();
+ boolean preventFrameAttacks = tobagoConfig.isPreventFrameAttacks();
if (!FacesContextUtils.isAjax(facesContext)) {
HtmlRendererUtils.renderDojoDndSource(facesContext, component);
@@ -324,8 +324,8 @@ public class PageRenderer extends PageRe
}
writer.startElement(HtmlElements.FORM, page);
- if (frameKiller && !FacesContextUtils.isAjax(facesContext)) {
- writer.writeAttribute(HtmlAttributes.STYLE, "display:none", false);
+ if (preventFrameAttacks && !FacesContextUtils.isAjax(facesContext)) {
+ writer.writeClassAttribute(Classes.create(page, "preventFrameAttacks", Markup.NULL));
}
writer.writeAttribute(HtmlAttributes.ACTION, formAction, true);
writer.writeIdAttribute(page.getFormId(facesContext));
Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/resources/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/style/tobago.css
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/resources/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/style/tobago.css?rev=1496839&r1=1496838&r2=1496839&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/resources/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/style/tobago.css (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/resources/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/style/tobago.css Wed Jun 26 09:01:20 2013
@@ -690,6 +690,10 @@ li.tobago-menu-markup-selected {
font-size: 15px;
}
+.tobago-page-preventFrameAttacks {
+ display: none;
+}
+
/* panel -------------------------------------------------------------- */
.tobago-panel {
Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js?rev=1496839&r1=1496838&r2=1496839&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js Wed Jun 26 09:01:20 2013
@@ -1038,13 +1038,12 @@ var Tobago = {
});
},
- frameKiller: function() {
- if (Tobago.form.style.display == 'none') {
- if (self == top) {
- Tobago.form.style.display = 'block';
- }
+ preventFrameAttacks: function() {
+ if (self == top) {
+ jQuery(".tobago-page-preventFrameAttacks").removeClass("tobago-page-preventFrameAttacks");
}
},
+
// -------- Util functions ----------------------------------------------------
/**
@@ -1708,7 +1707,7 @@ Tobago.Config = {
};
Tobago.Config.set("Tobago", "themeConfig", "standard/standard");
-Tobago.registerListener(Tobago.frameKiller, Tobago.Phase.DOCUMENT_READY);
+Tobago.registerListener(Tobago.preventFrameAttacks, Tobago.Phase.DOCUMENT_READY);
// using Tobago.Phase.Order.LATE, because the command event generated by data-tobago-commands
// may produce a submit, but we need to do something before the submit (and also on click,
// e. g. selectOne in a toolBar).