You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2013/06/26 11:01:20 UTC

svn commit: r1496839 - in /myfaces/tobago/trunk: tobago-example/tobago-example-test/src/main/webapp/WEB-INF/ tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/ tobago-theme/tobago-them...

Author: lofwyr
Date: Wed Jun 26 09:01:20 2013
New Revision: 1496839

URL: http://svn.apache.org/r1496839
Log:
The prevent-frame-attacks now respect CSP

See
TOBAGO-1155: Prevent for Frame Attacks aka Clickjacking 
TOBAGO-1171: Support for the Content Security Policy (CSP)

Modified:
    myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml
    myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
    myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/resources/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/style/tobago.css
    myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js

Modified: myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml?rev=1496839&r1=1496838&r2=1496839&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml (original)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml Wed Jun 26 09:01:20 2013
@@ -29,6 +29,7 @@
   </theme-config>
   <resource-dir>tobago-resource</resource-dir>
 
+  <!-- because this application uses frames -->
   <prevent-frame-attacks>false</prevent-frame-attacks>
 
 <!-- uncomment this to enable CSP -->

Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java?rev=1496839&r1=1496838&r2=1496839&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java Wed Jun 26 09:01:20 2013
@@ -180,7 +180,7 @@ public class PageRenderer extends PageRe
         } catch (NumberFormatException e) {/* ignore; use default*/ }
       }
     }
-    boolean frameKiller = tobagoConfig.isPreventFrameAttacks();
+    boolean preventFrameAttacks = tobagoConfig.isPreventFrameAttacks();
 
     if (!FacesContextUtils.isAjax(facesContext)) {
       HtmlRendererUtils.renderDojoDndSource(facesContext, component);
@@ -324,8 +324,8 @@ public class PageRenderer extends PageRe
     }
 
     writer.startElement(HtmlElements.FORM, page);
-    if (frameKiller && !FacesContextUtils.isAjax(facesContext)) {
-      writer.writeAttribute(HtmlAttributes.STYLE, "display:none", false);
+    if (preventFrameAttacks && !FacesContextUtils.isAjax(facesContext)) {
+      writer.writeClassAttribute(Classes.create(page, "preventFrameAttacks", Markup.NULL));
     }
     writer.writeAttribute(HtmlAttributes.ACTION, formAction, true);
     writer.writeIdAttribute(page.getFormId(facesContext));

Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/resources/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/style/tobago.css
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/resources/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/style/tobago.css?rev=1496839&r1=1496838&r2=1496839&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/resources/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/style/tobago.css (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/resources/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/style/tobago.css Wed Jun 26 09:01:20 2013
@@ -690,6 +690,10 @@ li.tobago-menu-markup-selected {
   font-size: 15px;
 }
 
+.tobago-page-preventFrameAttacks {
+  display: none;
+}
+
 /* panel -------------------------------------------------------------- */
 
 .tobago-panel {

Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js?rev=1496839&r1=1496838&r2=1496839&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js Wed Jun 26 09:01:20 2013
@@ -1038,13 +1038,12 @@ var Tobago = {
     });
   },
 
-  frameKiller: function() {
-    if (Tobago.form.style.display == 'none') {
-      if (self == top) {
-        Tobago.form.style.display = 'block';
-      }
+  preventFrameAttacks: function() {
+    if (self == top) {
+      jQuery(".tobago-page-preventFrameAttacks").removeClass("tobago-page-preventFrameAttacks");
     }
   },
+
 // -------- Util functions ----------------------------------------------------
 
   /**
@@ -1708,7 +1707,7 @@ Tobago.Config = {
 };
 
 Tobago.Config.set("Tobago", "themeConfig", "standard/standard");
-Tobago.registerListener(Tobago.frameKiller, Tobago.Phase.DOCUMENT_READY);
+Tobago.registerListener(Tobago.preventFrameAttacks, Tobago.Phase.DOCUMENT_READY);
 // using Tobago.Phase.Order.LATE, because the command event generated by data-tobago-commands
 // may produce a submit, but we need to do something before the submit (and also on click,
 // e. g. selectOne in a toolBar).