• last updated 2 hours ago
Constraints: committers
Constraints: files
Constraints: dates
- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see


This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

Bring files on oacs-5-10 in sync with HEAD

    • -13
    • +0
whitespace and spelling changes

category_tree::get_categories reform:

always return all root categories of given tree. Keep sorting by localized name, but use the en_US translation as a default when desired one is missing. Improve documentation.

Rollback of 'boolean' parameter datatype, as oracle does not see necessary to have 'boolean' datatypes, and they do not even provide with a proper alternative on what to use instead. Great. See: https://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:6263249199595#876972400346931526

Add 'boolean' parameter datatype and increase version number

file upgrade-5.10.0d12-5.10.0d13.sql was initially added on branch oacs-5-10.

Fix typo

activate warnings in case the old IE bug is still around

Whitespace changes

Fix dynamic-types package installation (many Thanks to Iuri Sanpaio) See #3381

Remove trailing "Class" keyword so classes are correctly displayed in the api-doc (See #3383)

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

use user-specific sign operations for protecting delete operations

    • -3
    • +3
ad_sign: new optional parameter "user_binding"

The parameter user_binding allows to bind a signature to a user.

When the value is "-1" only the user who created the signature can

obtain the value again. A value of 0 (default) means no user binding.

The permissible values might be extended in the future.

bump version number to 5.10.0d24

    • -2
    • +2
Bring files on oacs-5-10 in sync with HEAD

  1. … 148 more files in changeset.
Secure forums delete button by protecting the message_id with a timed signature

make sure to populate global variable for different notations of the default database

use usual spelling convention

Bring files on oacs-5-10 in sync with HEAD

add missing file

Fix incorrect default value

Whitespace changes + editor hints

    • -74
    • +74
    • -27
    • +33
    • -15
    • +21
    • -131
    • +126
  1. … 11 more files in changeset.
Replace/remove deprecated proc 'db_null'

  1. … 11 more files in changeset.
Remove deprecated proc 'db_nullify_empty_string' from doc

Whitespace changes + editor hints

    • -55
    • +55
    • -422
    • +422
    • -16
    • +22
  1. … 5 more files in changeset.
Replace/remove deprecated proc 'db_null' and update doc accordingly

  1. … 19 more files in changeset.
Deprecate 'db_nullify_empty_string', essentially just returning the same string it receives

Deprecate 'db_null'

Trailing whitespace cleanup