You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by kx...@apache.org on 2014/06/17 23:25:57 UTC
[1/4] fauxton commit: updated refs/heads/import-master to 9bc7c98
Repository: couchdb-fauxton
Updated Branches:
refs/heads/import-master 8cb432c5f -> 9bc7c98e2
Add Experimental Content-Security-Policy-Support (CSP) for Fauxton
Like every web application, Fauxton is vulnerable against XSS and
CSP is a technology that tries to help against that.
The patch makes it possible to enable CSP for the /_utils path and
allows configuration of the sent header.
The default setting for the value of the header breaks the old
Futon, when CSP is enabled there. The old Futon has alot of
inline-JavaScript which is not allowed in the setting I have
chosen as default.
For development, the header is also sent from the Node server
which launches Fauxton in dev-mode.
People can enable the feature by setting enable = true in the
section [csp] of their configs
Project: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/commit/7b82f198
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/tree/7b82f198
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/diff/7b82f198
Branch: refs/heads/import-master
Commit: 7b82f1986dee4c4cfb16b1687f62aa080ad20fe9
Parents: 8cb432c
Author: Robert Kowalski <ro...@kowalski.gd>
Authored: Sat May 17 18:37:30 2014 +0200
Committer: Robert Kowalski <ro...@kowalski.gd>
Committed: Mon Jun 9 19:09:06 2014 +0200
----------------------------------------------------------------------
tasks/couchserver.js | 4 ++++
1 file changed, 4 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/7b82f198/tasks/couchserver.js
----------------------------------------------------------------------
diff --git a/tasks/couchserver.js b/tasks/couchserver.js
index 67b0ae0..3a17ab6 100644
--- a/tasks/couchserver.js
+++ b/tasks/couchserver.js
@@ -47,6 +47,10 @@ module.exports = function (grunt) {
accept = req.headers.accept.split(','),
filePath;
+ var headerValue = "default-src 'self'; img-src 'self'; font-src 'self'; " +
+ "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
+ res.setHeader('Content-Security-Policy', headerValue);
+
if (!!url.match(/^\/addons\/.*\/assets\/js/)) {
filePath = path.join(app_dir, url.replace('/_utils/fauxton/',''));
} else if (!!url.match(/assets/)) {
[3/4] fauxton commit: updated refs/heads/import-master to 9bc7c98
Posted by kx...@apache.org.
Fauxton: Fix font awesome url to work for release
Project: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/commit/9fe95cb3
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/tree/9fe95cb3
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/diff/9fe95cb3
Branch: refs/heads/import-master
Commit: 9fe95cb30af285274517e0e96b910c5e01cab194
Parents: 35d6f4e
Author: Garren Smith <ga...@gmail.com>
Authored: Tue Jun 10 14:51:12 2014 +0200
Committer: Garren Smith <ga...@gmail.com>
Committed: Wed Jun 11 11:21:34 2014 +0200
----------------------------------------------------------------------
assets/less/bootstrap/font-awesome/variables.less | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/9fe95cb3/assets/less/bootstrap/font-awesome/variables.less
----------------------------------------------------------------------
diff --git a/assets/less/bootstrap/font-awesome/variables.less b/assets/less/bootstrap/font-awesome/variables.less
index 5d93614..0715887 100644
--- a/assets/less/bootstrap/font-awesome/variables.less
+++ b/assets/less/bootstrap/font-awesome/variables.less
@@ -1,7 +1,7 @@
// Variables
// --------------------------
-@FontAwesomePath: "../../img";
+@FontAwesomePath: "../img";
//@FontAwesomePath: "//netdna.bootstrapcdn.com/font-awesome/3.2.1/font"; // for referencing Bootstrap CDN font files directly
@FontAwesomeVersion: "3.2.1";
@borderColor: #eee;
[2/4] fauxton commit: updated refs/heads/import-master to 9bc7c98
Posted by kx...@apache.org.
Fauxton: Fix show me api link
* use data-bypass attribute to circumvent backbone routing
Project: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/commit/35d6f4e9
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/tree/35d6f4e9
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/diff/35d6f4e9
Branch: refs/heads/import-master
Commit: 35d6f4e9f2ae1cbd2603f19afadb096312a16ed0
Parents: 7b82f19
Author: Robin Drexler <dr...@gmail.com>
Authored: Sun Jun 8 20:07:58 2014 +0200
Committer: Robert Kowalski <ro...@kowalski.gd>
Committed: Mon Jun 9 19:54:27 2014 +0200
----------------------------------------------------------------------
app/addons/fauxton/templates/api_bar.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/35d6f4e9/app/addons/fauxton/templates/api_bar.html
----------------------------------------------------------------------
diff --git a/app/addons/fauxton/templates/api_bar.html b/app/addons/fauxton/templates/api_bar.html
index ecd92f1..886c06e 100644
--- a/app/addons/fauxton/templates/api_bar.html
+++ b/app/addons/fauxton/templates/api_bar.html
@@ -25,6 +25,6 @@ the License.
</a>
</span>
<input type="text" class="input-xxlarge" value="<%- endpoint %>">
- <a href="<%- endpoint %>" target="_blank" class="btn">Show me</a>
+ <a data-bypass="true" href="<%- endpoint %>" target="_blank" class="btn">Show me</a>
</div>
</div>
[4/4] fauxton commit: updated refs/heads/import-master to 9bc7c98
Posted by kx...@apache.org.
Fauxton: Content Security Policy optional for dev
This just makes the content security policy optional for
development.
Project: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/commit/9bc7c98e
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/tree/9bc7c98e
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/diff/9bc7c98e
Branch: refs/heads/import-master
Commit: 9bc7c98e2a6d4d942a9e7a1d4c52653c9f7a6a4a
Parents: 9fe95cb
Author: Garren Smith <ga...@gmail.com>
Authored: Tue Jun 10 15:19:32 2014 +0200
Committer: Garren Smith <ga...@gmail.com>
Committed: Wed Jun 11 11:21:34 2014 +0200
----------------------------------------------------------------------
tasks/couchserver.js | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/9bc7c98e/tasks/couchserver.js
----------------------------------------------------------------------
diff --git a/tasks/couchserver.js b/tasks/couchserver.js
index 3a17ab6..8e95c5c 100644
--- a/tasks/couchserver.js
+++ b/tasks/couchserver.js
@@ -25,7 +25,8 @@ module.exports = function (grunt) {
// Options
var dist_dir = options.dist || './dist/debug/',
app_dir = './app',
- port = options.port || 8000;
+ port = options.port || 8000,
+ setContentSecurityPolicy = _.isUndefined(options.contentSecurityPolicy) ? true : options.contentSecurityPolicy;
// Proxy options with default localhost
var proxy_settings = options.proxy || {
@@ -47,9 +48,11 @@ module.exports = function (grunt) {
accept = req.headers.accept.split(','),
filePath;
- var headerValue = "default-src 'self'; img-src 'self'; font-src 'self'; " +
- "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
- res.setHeader('Content-Security-Policy', headerValue);
+ if (setContentSecurityPolicy) {
+ var headerValue = "default-src 'self'; img-src 'self'; font-src 'self'; " +
+ "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
+ res.setHeader('Content-Security-Policy', headerValue);
+ }
if (!!url.match(/^\/addons\/.*\/assets\/js/)) {
filePath = path.join(app_dir, url.replace('/_utils/fauxton/',''));