You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2020/07/28 13:48:11 UTC
Use of "constants" in Manager to generate HTML/CSS content
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I was looking at this PR[1] and wondering why we have huge swaths of
CSS and HTML in a Java source file, instead of using e.g. JSP or some
other content-generation framework.
I know, I hate JSP, too, but having large blocks of HTML and CSS in
Java strings is just ... awful.
Also, is there a particular reason we are using embedded CSS in the
pages instead of an external CSS file?
Ultimately, it would be a good idea to move all CSS and even styles
into a separate CSS file so we can tighten-up the Content Security
Policy on the manager app. This can help prevent attacks if there
happens to be some kind of XSS vulnerability hiding in there somewhere.
Any objections to evicting the CSS to begin with?
Thanks,
- -chris
[1] https://github.com/apache/tomcat/pull/327
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8gLJsACgkQHPApP6U8
pFgKCw//WY8p/EBS7sxDYgnV6W4pjeuAuhXv6ierajPH28NfdokIRlU4IfFIUVIE
Ck98rK9uH98o6QFkWC70MVYV+NbEi4CwrjPhuFV/rEplyqfA+Ijs5g069a1g15On
fw5V44CK2JBj0AjT4ZtMVWOSxDElHZc3SjZmyaie0pk2zDVxYwSwhoRPtqzms5rH
zTlu48R14t1O9PLsWGthwdVStAn9WlE7hBLI3yLag/QKUqlOR/a8Fy75mbMma5a9
cmG8Lh5Jo8a6YzD0q37sdOmKN5d9lZxZkz3x21Cy3v2qcKcaGUcAttAEe9hFKEzh
I0hOMKYc/2n2aNpMTjIkG86fXzAYB1IIsfiGxlwP/nY6HzJ9XRolD9+kT7LZ/tP3
7SKL8rVoKi5SWiH+g3jGifVkxfiHlMhvZikAbC75ngP7mNXZFHPdnF3rvai/cbum
FWUpLDoW/oTs87v9l071hs+hf2PffvqL/v5AeoMbGf/VDpf/zcuNy0wlB2w6Nxo9
K8sBVHQGJzIlaR9fqLyYJkJ8kmSb37t7BxPXLuGSCr98uUD8bSy2IwC2IxessXQc
E+oIyJ0mlPdKU1dh5yFtMzCp4S9olUg4diqOxpToGm2hnmdnkRY3OarC1OU839NC
Yd5uYA9XoYxBro2oNfB1gCNB5Ve4aLVOV0Q3iKcW83b8jLiNgzY=
=Z+cI
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Igal,
On 8/11/20 23:23, Igal Sapir wrote:
> Chris,
>
> On Mon, Aug 10, 2020 at 12:20 PM Martin Grigorov
> <mgrigorov@apache.org <ma...@apache.org>> wrote:
>
>
> On Tue, Jul 28, 2020, 16:48 Christopher Schultz
> <chris@christopherschultz.net
> <ma...@christopherschultz.net>> wrote:
>
> All,
>
> I was looking at this PR[1] and wondering why we have huge swaths
> of CSS and HTML in a Java source file, instead of using e.g. JSP
> or some other content-generation framework.
>
> I know, I hate JSP, too, but having large blocks of HTML and CSS
> in Java strings is just ... awful.
>
> Also, is there a particular reason we are using embedded CSS in
> the pages instead of an external CSS file?
>
> Ultimately, it would be a good idea to move all CSS and even
> styles into a separate CSS file so we can tighten-up the Content
> Security Policy on the manager app. This can help prevent attacks
> if there happens to be some kind of XSS vulnerability hiding in
> there somewhere.
>
> Any objections to evicting the CSS to begin with?
>
>
>> It's funny, I was thinking the same thing a couple of weeks ago
>> but didn't want to cause a merge conflict for the PR so waited to
>> see what's going on with that, though as I commented on it I
>> don't like that it changes the theme colors, etc.
>
>> If you are already working on that then great. If you haven't
>> started, and you have better things to do, I'd be happy to clean
>> that up so please LMK.
I've got a bunch of ACAH presentations to get done, so I'd be
perfectly happy to have you do this work :)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8z7ogACgkQHPApP6U8
pFjMeBAAh3teSq45voa1dMj2BGTPmhTLq2Eu6y4L5KqjABZergqapfNZsKRUuiTZ
ze1Jpmjb+YfRkspi0nHZMN8K8LBibSh5cr+6SRydZSqada2vNdM1j4y2bCGwrJuY
fykU8adsIzbkQreN+70mzyObJFruUz4o/+PE7c5dc6xQXnZQ7TmxZxfHmAeVegNz
DS0itJXdc8Spnl9HFG+bZwQcKAMflakCxyb/aCjfkhZ4yxUwmX8ReL7ihQWoVH7b
IO85ipw8mJ6h89IfQMN89ZKzs2KRFTbVk7jepxOi4YRoG8P1a2lNcigKBQ6qi0DF
aGaiiTck58+q5uvWQDE7kWSm1MGmLz6bec5zknQ7Smgw2sQqykFLRDDia/v/gKRn
B1nmGp0aB8P5sReP3F/ipOFTXXOVT4N/8MHNv3EK2M+b5isYDzyCF96f7Q8ha+mA
NPh+CJlCWTpEvRjSuwd12DVL/12WyDtCI8fOHlrCCI2ks5L45JWFtQX26WvYZl6n
Z2WO4yg58CjTTxr66VAnuriZra6gSRfZyJCTUp2wImcrAR9pBiM7uB6D1e03hgP3
qiMSY/jSLRvv+aaXQTpc+ePFInKWE+iEgNh7s2njgYrS0dcn5ahhFgeioXtDV8ex
nTbucrv9ArTZ+XywnQSI8UHDA3bb2gAM+xnb31d8p83TEDv5how=
=jGCx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Igal Sapir <ig...@lucee.org>.
Chris,
On Mon, Aug 10, 2020 at 12:20 PM Martin Grigorov <mg...@apache.org>
wrote:
>
> On Tue, Jul 28, 2020, 16:48 Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> All,
>>
>> I was looking at this PR[1] and wondering why we have huge swaths of
>> CSS and HTML in a Java source file, instead of using e.g. JSP or some
>> other content-generation framework.
>>
>> I know, I hate JSP, too, but having large blocks of HTML and CSS in
>> Java strings is just ... awful.
>>
>> Also, is there a particular reason we are using embedded CSS in the
>> pages instead of an external CSS file?
>>
>> Ultimately, it would be a good idea to move all CSS and even styles
>> into a separate CSS file so we can tighten-up the Content Security
>> Policy on the manager app. This can help prevent attacks if there
>> happens to be some kind of XSS vulnerability hiding in there somewhere.
>>
>> Any objections to evicting the CSS to begin with?
>>
>
It's funny, I was thinking the same thing a couple of weeks ago but didn't
want to cause a merge conflict for the PR so waited to see what's going on
with that, though as I commented on it I don't like that it changes the
theme colors, etc.
If you are already working on that then great. If you haven't started, and
you have better things to do, I'd be happy to clean that up so please LMK.
Best,
Igal
>
> +1
>
>
>> Thanks,
>> - -chris
>>
>> [1] https://github.com/apache/tomcat/pull/327
>> -----BEGIN PGP SIGNATURE-----
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8gLJsACgkQHPApP6U8
>> pFgKCw//WY8p/EBS7sxDYgnV6W4pjeuAuhXv6ierajPH28NfdokIRlU4IfFIUVIE
>> Ck98rK9uH98o6QFkWC70MVYV+NbEi4CwrjPhuFV/rEplyqfA+Ijs5g069a1g15On
>> fw5V44CK2JBj0AjT4ZtMVWOSxDElHZc3SjZmyaie0pk2zDVxYwSwhoRPtqzms5rH
>> zTlu48R14t1O9PLsWGthwdVStAn9WlE7hBLI3yLag/QKUqlOR/a8Fy75mbMma5a9
>> cmG8Lh5Jo8a6YzD0q37sdOmKN5d9lZxZkz3x21Cy3v2qcKcaGUcAttAEe9hFKEzh
>> I0hOMKYc/2n2aNpMTjIkG86fXzAYB1IIsfiGxlwP/nY6HzJ9XRolD9+kT7LZ/tP3
>> 7SKL8rVoKi5SWiH+g3jGifVkxfiHlMhvZikAbC75ngP7mNXZFHPdnF3rvai/cbum
>> FWUpLDoW/oTs87v9l071hs+hf2PffvqL/v5AeoMbGf/VDpf/zcuNy0wlB2w6Nxo9
>> K8sBVHQGJzIlaR9fqLyYJkJ8kmSb37t7BxPXLuGSCr98uUD8bSy2IwC2IxessXQc
>> E+oIyJ0mlPdKU1dh5yFtMzCp4S9olUg4diqOxpToGm2hnmdnkRY3OarC1OU839NC
>> Yd5uYA9XoYxBro2oNfB1gCNB5Ve4aLVOV0Q3iKcW83b8jLiNgzY=
>> =Z+cI
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Martin Grigorov <mg...@apache.org>.
On Tue, Jul 28, 2020, 16:48 Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I was looking at this PR[1] and wondering why we have huge swaths of
> CSS and HTML in a Java source file, instead of using e.g. JSP or some
> other content-generation framework.
>
> I know, I hate JSP, too, but having large blocks of HTML and CSS in
> Java strings is just ... awful.
>
> Also, is there a particular reason we are using embedded CSS in the
> pages instead of an external CSS file?
>
> Ultimately, it would be a good idea to move all CSS and even styles
> into a separate CSS file so we can tighten-up the Content Security
> Policy on the manager app. This can help prevent attacks if there
> happens to be some kind of XSS vulnerability hiding in there somewhere.
>
> Any objections to evicting the CSS to begin with?
>
+1
> Thanks,
> - -chris
>
> [1] https://github.com/apache/tomcat/pull/327
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8gLJsACgkQHPApP6U8
> pFgKCw//WY8p/EBS7sxDYgnV6W4pjeuAuhXv6ierajPH28NfdokIRlU4IfFIUVIE
> Ck98rK9uH98o6QFkWC70MVYV+NbEi4CwrjPhuFV/rEplyqfA+Ijs5g069a1g15On
> fw5V44CK2JBj0AjT4ZtMVWOSxDElHZc3SjZmyaie0pk2zDVxYwSwhoRPtqzms5rH
> zTlu48R14t1O9PLsWGthwdVStAn9WlE7hBLI3yLag/QKUqlOR/a8Fy75mbMma5a9
> cmG8Lh5Jo8a6YzD0q37sdOmKN5d9lZxZkz3x21Cy3v2qcKcaGUcAttAEe9hFKEzh
> I0hOMKYc/2n2aNpMTjIkG86fXzAYB1IIsfiGxlwP/nY6HzJ9XRolD9+kT7LZ/tP3
> 7SKL8rVoKi5SWiH+g3jGifVkxfiHlMhvZikAbC75ngP7mNXZFHPdnF3rvai/cbum
> FWUpLDoW/oTs87v9l071hs+hf2PffvqL/v5AeoMbGf/VDpf/zcuNy0wlB2w6Nxo9
> K8sBVHQGJzIlaR9fqLyYJkJ8kmSb37t7BxPXLuGSCr98uUD8bSy2IwC2IxessXQc
> E+oIyJ0mlPdKU1dh5yFtMzCp4S9olUg4diqOxpToGm2hnmdnkRY3OarC1OU839NC
> Yd5uYA9XoYxBro2oNfB1gCNB5Ve4aLVOV0Q3iKcW83b8jLiNgzY=
> =Z+cI
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Igal Sapir <ig...@lucee.org>.
Konstantin,
On Sun, Aug 16, 2020 at 1:00 PM Konstantin Kolinko <kn...@gmail.com>
wrote:
> вс, 16 авг. 2020 г. в 21:32, Igal Sapir <ig...@lucee.org>:
> >
> > I don't see any scripts either. Why not add a CSP and set script to
> 'none'? I can add that if no one objects.
> >
>
> sessionsList.jsp has onclick attributes. Maybe it can be modified to
> work without them, I do not know.
>
Definitely something to consider. I naively searched for "script" and
missed that.
Thank you,
Igal
>
> K.Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Konstantin,
On 8/16/20 15:59, Konstantin Kolinko wrote:
> вс, 16 авг. 2020 г. в 21:32, Igal Sapir <ig...@lucee.org>:
>>
>> I don't see any scripts either. Why not add a CSP and set script
>> to 'none'? I can add that if no one objects.
>>
>
> sessionsList.jsp has onclick attributes. Maybe it can be modified
> to work without them, I do not know.
SOP these days is to include a script that attaches itself to the
appropriate elements, instead of having "onclick" attributes directly
in the markup.
This can be solved either by modifying the CSP for that page
specifically, or by specifically allowing scripts based upon their
sha256 signatures.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9CpuUACgkQHPApP6U8
pFhMiw/+JJp90wQaCDo1y0IIzzXNaNuYDIxnSa3cmcTSQLYh78vbnOr2bGaSdiS8
9rQS69jbxfkFnDofQG3HwE4YZSeMjCKRjKzIMTpnUfusE842x91XGdNgtF33rtiW
gXFGJhpgCLchynYLIdl4LYfcGvsxrxuMR9gcaUP2I9/SpeYxTMzOGNuYiaV3mouv
EO5t3l5Wl0FN9hhrGIAhMLG/+wY05cevY16GGZy2xWcDeIHq44Pq2rh9spBFRo2c
9HhaNvNpXlZ30ELmD5YSnxLmpH8CPgsA+5Sdj0ppZ7jpXcx+M/Ihqj+E1za9P20N
WpagVdJaDtYJ0M9FZ5j+nwZoYyGh7ySobH0W3tYfygtfhRgi2l8rc0Zy9CeQPZmu
9WaP2RRz+dGXPMUUwWOKMjl7Fbux+ss66lKvHPrQe0jezVDNYcnSgd7RqlfBznEy
YfoPGxasbyhbrKg7y9encIWOR476LdWQN0g8ZMVxsS3XyStvY3CxiT8NjIrYu1fi
iz8Ni5zEWK1RUiRabv/JrNehrk6ivwARFtJeAwIf8sH2vVlmkQsk4ge8Xfk0BeRP
O49GbiljgqyTy+l5hg0bq9OBkLXTFxLA8D+E9k5dElGzOKQH7GI3+A0GpCm9wbOL
wQCQljWdRgVyLz57bonvTpxe59SNAgwva1AkF6xhM+ky0eiAlHU=
=iYAX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Konstantin Kolinko <kn...@gmail.com>.
вс, 16 авг. 2020 г. в 21:32, Igal Sapir <ig...@lucee.org>:
>
> I don't see any scripts either. Why not add a CSP and set script to 'none'? I can add that if no one objects.
>
sessionsList.jsp has onclick attributes. Maybe it can be modified to
work without them, I do not know.
K.Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Igal Sapir <ig...@lucee.org>.
On Wed, Aug 12, 2020 at 8:47 AM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Konstantin,
>
> On 8/12/20 10:02, Konstantin Kolinko wrote:
> > вт, 28 июл. 2020 г. в 16:55, Christopher Schultz
> > <ch...@christopherschultz.net>:
> >>
> >> All,
> >>
> >> I was looking at this PR[1] and wondering why we have huge swaths
> >> of CSS and HTML in a Java source file, instead of using e.g. JSP
> >> or some other content-generation framework.
> >
> > I remember that I once read some praise for being able to use the
> > Manager web application when there is no Jasper and no JSP
> > compiler available. It was more than 5 years ago and I do not
> > remember the details - maybe it was some small system with limited
> > hardware.
>
> Agreed.
>
> > The Manager app does use JSPs nowadays, not for some unimportant
> > pages: listing of sessions and listing attributes of a session.
>
> Okay. Are you suggesting then that JSP can/should be required for
> Manager usage? Or maybe just for certain functions?
>
> >> I know, I hate JSP, too, but having large blocks of HTML and CSS
> >> in Java strings is just ... awful.
> >>
> >> Also, is there a particular reason we are using embedded CSS in
> >> the pages instead of an external CSS file?
> >
> > Originally it was rather small. It grows with time.
>
> Okay. I think it's time to separate.
>
> > A separate file needs a license header, so the size will grow.
>
> I'm okay with that.
>
> >> Ultimately, it would be a good idea to move all CSS and even
> >> styles into a separate CSS file so we can tighten-up the Content
> >> Security Policy on the manager app. This can help prevent attacks
> >> if there happens to be some kind of XSS vulnerability hiding in
> >> there somewhere.
> >
> > I do not get how having a separate file [matters] with Content
> > Security Policy.
>
> Having separate CSS allows a site to allow external styles but
> prohibit in-page styles. The allow-token for CSP for inline styles is
> "unsafe-inline".
>
> The reason this is a security issue is for XSS attacks. If an XSS
> attack is in progress, the script may attempt to modify the page's
> styles to manipulate the user. For example, hiding some important data
> or warning message. XSS would have more difficulty spoofing an
> externally-loaded CSS file.
>
> I don't think we have any js in the Manager, but external js is better
> as well, as the page is therefore prohibited from running any js code
> appearing in the page: all scripts must be external.
>
I don't see any scripts either. Why not add a CSP and set script to
'none'? I can add that if no one objects.
>
> Speaking of which, we should look at defining a CSP for the Manager
> application.
>
> >> Any objections to evicting the CSS to begin with?
> >
> > No objection, if you want it.
>
I have extracted the CSS from the Java code on master [2]. I plan to port
that to 9.0.x and 8.5.x. Feedback welcomed.
I also replaced the old GIF logo with an SVG image from the main page as it
looks more modern and crisp, especially on high resolution screens.
I personally don't think that a few KBs make a difference with the code
size, but if it is a concern then we can remove the multiple copies of the
logos (Tomcat and ASF) for example from the different web applications, and
copy them over at build time. So we will have a slightly smaller codebase
at the expense of a bit more complicated build process.
Best,
Igal
[2]
https://github.com/apache/tomcat/commit/9c5d2e3b633fdb651bc9f11db4aac97ad3ad4df2
> >
> > We already have image files. Thus, why not?
>
> Sine you mentioned it, how to we "license" image files?
>
> >> [1] https://github.com/apache/tomcat/pull/327
> >
> > An odd PR. I see that it makes some visual changes, but there is
> > no description nor discussion what the actual changes are.
>
> I care less about this specific PR and more about cleaning everything up
> .
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl80Dx8ACgkQHPApP6U8
> pFhSSg/9EQQpZ6WLOeMA7o41UJ3o/X49Xu5h7mliFhIQ6xNkoqW6sWkOHy0LURqU
> 4S+WaPQzNsXqU8gREcKcU1OPNFnh2i3hGaD6mc/Tr5PMg82qBDwozxM9L6pcKo/N
> d30RiJ5MeenrLZ/chbC8Kq4pqBbNtChQWmVH4Dp469DIAwhE3A6T7pwiB1bB72Tz
> DxW/1PTAZENvkchkhll/UyEd+pJV9rq1CrrR8LRpqkEkZqu50vKFhE7XWIn4AkZf
> OXhtI+SLh/1cxeVMfVjq7JyoslMHiZ7d+55wybvdRWZLns+OMeOTjxW6nzAaB8nN
> SYEs/x/+HOV2x91btCpurttGFNzjdU3VqnM/Xk0mThVoxP0CktOSePGlUKd8gqi1
> Jed/RxeaKSUSjrghhCJLnvsNhqUfXMy35eATWdJ+YPhIyxM1aotBPZN9zZRKh2zp
> IPM/VvpFWJsIiIzbzhLfQfRNK9UpLaTL96s+V/5opoIHpPVpW+T8uSVrFpysfErE
> fZVC027SgEDzDjtBvPhRN4E8kK4rUKiAOyJJX/M3q7iJKZj1zy5NOo3RQZ7WAqIv
> Qx8mAwIi+/cNaQotbCuTkTpObzSHetR6OF9RQDZG/zAMI+W5/9eVTrZucto4yCB8
> 9fMGf2YTrqnF4qF5JMAKzRH+kucGyZx4q8aX9SY+RTl5GuGcGKI=
> =xI8S
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Konstantin Kolinko <kn...@gmail.com>.
ср, 12 авг. 2020 г. в 18:48, Christopher Schultz <ch...@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Konstantin,
>
> On 8/12/20 10:02, Konstantin Kolinko wrote:
> > вт, 28 июл. 2020 г. в 16:55, Christopher Schultz
> > <ch...@christopherschultz.net>:
> >>
> >> All,
> >>
> >> I was looking at this PR[1] and wondering why we have huge swaths
> >> of CSS and HTML in a Java source file, instead of using e.g. JSP
> >> or some other content-generation framework.
> >
> > I remember that I once read some praise for being able to use the
> > Manager web application when there is no Jasper and no JSP
> > compiler available. It was more than 5 years ago and I do not
> > remember the details - maybe it was some small system with limited
> > hardware.
>
> Agreed.
>
> > The Manager app does use JSPs nowadays, not for some unimportant
> > pages: listing of sessions and listing attributes of a session.
>
> Okay. Are you suggesting then that JSP can/should be required for
> Manager usage? Or maybe just for certain functions?
JSPs are de-facto required for certain functions, and nobody
complained thus far, as far as I remember.
I think that if we seriously modify the Manager app so that it heavily
relies on JSPs, then
maybe it would be better to precompile those JSP pages at build time.
K.Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Konstantin,
On 8/12/20 10:02, Konstantin Kolinko wrote:
> вт, 28 июл. 2020 г. в 16:55, Christopher Schultz
> <ch...@christopherschultz.net>:
>>
>> All,
>>
>> I was looking at this PR[1] and wondering why we have huge swaths
>> of CSS and HTML in a Java source file, instead of using e.g. JSP
>> or some other content-generation framework.
>
> I remember that I once read some praise for being able to use the
> Manager web application when there is no Jasper and no JSP
> compiler available. It was more than 5 years ago and I do not
> remember the details - maybe it was some small system with limited
> hardware.
Agreed.
> The Manager app does use JSPs nowadays, not for some unimportant
> pages: listing of sessions and listing attributes of a session.
Okay. Are you suggesting then that JSP can/should be required for
Manager usage? Or maybe just for certain functions?
>> I know, I hate JSP, too, but having large blocks of HTML and CSS
>> in Java strings is just ... awful.
>>
>> Also, is there a particular reason we are using embedded CSS in
>> the pages instead of an external CSS file?
>
> Originally it was rather small. It grows with time.
Okay. I think it's time to separate.
> A separate file needs a license header, so the size will grow.
I'm okay with that.
>> Ultimately, it would be a good idea to move all CSS and even
>> styles into a separate CSS file so we can tighten-up the Content
>> Security Policy on the manager app. This can help prevent attacks
>> if there happens to be some kind of XSS vulnerability hiding in
>> there somewhere.
>
> I do not get how having a separate file [matters] with Content
> Security Policy.
Having separate CSS allows a site to allow external styles but
prohibit in-page styles. The allow-token for CSP for inline styles is
"unsafe-inline".
The reason this is a security issue is for XSS attacks. If an XSS
attack is in progress, the script may attempt to modify the page's
styles to manipulate the user. For example, hiding some important data
or warning message. XSS would have more difficulty spoofing an
externally-loaded CSS file.
I don't think we have any js in the Manager, but external js is better
as well, as the page is therefore prohibited from running any js code
appearing in the page: all scripts must be external.
Speaking of which, we should look at defining a CSP for the Manager
application.
>> Any objections to evicting the CSS to begin with?
>
> No objection, if you want it.
>
> We already have image files. Thus, why not?
Sine you mentioned it, how to we "license" image files?
>> [1] https://github.com/apache/tomcat/pull/327
>
> An odd PR. I see that it makes some visual changes, but there is
> no description nor discussion what the actual changes are.
I care less about this specific PR and more about cleaning everything up
.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl80Dx8ACgkQHPApP6U8
pFhSSg/9EQQpZ6WLOeMA7o41UJ3o/X49Xu5h7mliFhIQ6xNkoqW6sWkOHy0LURqU
4S+WaPQzNsXqU8gREcKcU1OPNFnh2i3hGaD6mc/Tr5PMg82qBDwozxM9L6pcKo/N
d30RiJ5MeenrLZ/chbC8Kq4pqBbNtChQWmVH4Dp469DIAwhE3A6T7pwiB1bB72Tz
DxW/1PTAZENvkchkhll/UyEd+pJV9rq1CrrR8LRpqkEkZqu50vKFhE7XWIn4AkZf
OXhtI+SLh/1cxeVMfVjq7JyoslMHiZ7d+55wybvdRWZLns+OMeOTjxW6nzAaB8nN
SYEs/x/+HOV2x91btCpurttGFNzjdU3VqnM/Xk0mThVoxP0CktOSePGlUKd8gqi1
Jed/RxeaKSUSjrghhCJLnvsNhqUfXMy35eATWdJ+YPhIyxM1aotBPZN9zZRKh2zp
IPM/VvpFWJsIiIzbzhLfQfRNK9UpLaTL96s+V/5opoIHpPVpW+T8uSVrFpysfErE
fZVC027SgEDzDjtBvPhRN4E8kK4rUKiAOyJJX/M3q7iJKZj1zy5NOo3RQZ7WAqIv
Qx8mAwIi+/cNaQotbCuTkTpObzSHetR6OF9RQDZG/zAMI+W5/9eVTrZucto4yCB8
9fMGf2YTrqnF4qF5JMAKzRH+kucGyZx4q8aX9SY+RTl5GuGcGKI=
=xI8S
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Konstantin Kolinko <kn...@gmail.com>.
вт, 28 июл. 2020 г. в 16:55, Christopher Schultz <ch...@christopherschultz.net>:
>
> All,
>
> I was looking at this PR[1] and wondering why we have huge swaths of
> CSS and HTML in a Java source file, instead of using e.g. JSP or some
> other content-generation framework.
I remember that I once read some praise for being able to use the
Manager web application when there is no Jasper and no JSP compiler
available. It was more than 5 years ago and I do not remember the
details - maybe it was some small system with limited hardware.
The Manager app does use JSPs nowadays, not for some unimportant
pages: listing of sessions and listing attributes of a session.
> I know, I hate JSP, too, but having large blocks of HTML and CSS in
> Java strings is just ... awful.
>
> Also, is there a particular reason we are using embedded CSS in the
> pages instead of an external CSS file?
Originally it was rather small. It grows with time.
A separate file needs a license header, so the size will grow.
> Ultimately, it would be a good idea to move all CSS and even styles
> into a separate CSS file so we can tighten-up the Content Security
> Policy on the manager app. This can help prevent attacks if there
> happens to be some kind of XSS vulnerability hiding in there somewhere.
I do not get how having a separate file mappers with Content Security Policy.
> Any objections to evicting the CSS to begin with?
No objection, if you want it.
We already have image files. Thus, why not?
> [1] https://github.com/apache/tomcat/pull/327
An odd PR. I see that it makes some visual changes, but there is no
description nor discussion what the actual changes are.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Use of "constants" in Manager to generate HTML/CSS content
Posted by Mark Thomas <ma...@apache.org>.
On 28/07/2020 14:48, Christopher Schultz wrote:
> All,
>
> I was looking at this PR[1] and wondering why we have huge swaths of
> CSS and HTML in a Java source file, instead of using e.g. JSP or some
> other content-generation framework.
>
> I know, I hate JSP, too, but having large blocks of HTML and CSS in
> Java strings is just ... awful.
>
> Also, is there a particular reason we are using embedded CSS in the
> pages instead of an external CSS file?
>
> Ultimately, it would be a good idea to move all CSS and even styles
> into a separate CSS file so we can tighten-up the Content Security
> Policy on the manager app. This can help prevent attacks if there
> happens to be some kind of XSS vulnerability hiding in there somewhere.
>
> Any objections to evicting the CSS to begin with?
+1
No objections here.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org