• last updated 16 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fix typo

merged changes from the oacs-5-9 branch and resolved conflicts

  1. … 7832 more files in changeset.
commit after merge conflict

Prevent errors in between of a release upgrade when system still has not render_widgets proc defined. Users should restart the server asap anyway.

bootstrap installer:

- added csp policy to the files upgradeable via apm

- bumped version number to 5.9.1d5

  1. … 3 more files in changeset.
-- handle ie 11 (uses a different header field for CSP)

- move CSP generation to the end

  1. … 1 more file in changeset.
- Refine security policies: when necessary, define both a nonce and a

'unsafe-inline' to ensure compatibility on some less adavanced

browsers

- use same "secure" setting for ad_session_id, otherwise, just the

last one is honored

- fix linefeed and semicolon in js for focus handling

  1. … 2 more files in changeset.
- add csp-collector

file csp-collector.tcl was initially added on branch oacs-5-9.

    • -0
    • +0
    ./SYSTEM/csp-collector.tcl
- add CSP nonce to script tags if nonce value is available

- turn function definition of acs_Focus() into a conditionally defined

body-script

- turn "body_event_handlers" into "window.addEventListener"

  1. … 3 more files in changeset.
- Added support for W3C Content Security Policy(CSP)

* For details about CSP, see https://www.w3.org/TR/CSP/

* New calls:

security::csp::nonce:

Generate a CSP nonce token token

security::csp::require /directive/ /value/:

Add a requirements of a page to the CSP in order to generate

later a tailored policy with the minimal permissions for

this page. For example, the following requirement is

currently added per default to the oacs-master template to

permit style tags and style attribites in the markup.

security::csp::require style-src 'unsafe-inline'

security::csp::render:

Generate a policy from the requirements

* Added Kernel Parameter CSPEnabledP to activate/desctivate CSP

(default on)

- Bump version numbers

acs-tcl to 5.9.1d11

acs-bootstrap-installer to 5.9.1d4

acs-kernel to 5.9.1d17

  1. … 6 more files in changeset.
- add support for W3C Subresource Integrity (SRI)

* For details about SRI, see https://www.w3.org/TR/SRI/

* Added arguments -crossorigin and -integrity

to the following functions

template::add_body_script

template::add_script

template::head::add_javascript

template::head::add_link

template::head::add_script

* Updated blank-master.adp

- some more cleanup:

* remove commented out code

* add missing argument documentation

(template::head::add_javascript)

* document arguments alphabetically

  1. … 3 more files in changeset.
- bring version in www (in cvs) in sync with version from packages/acs-bootstrap-installer/installer/www/

- regenerated documentation, including changelog

  1. … 123 more files in changeset.
- added version info

- update for js and flat list support

- improve validity for HTML5

  1. … 1 more file in changeset.
- provide minimal support for ckeditor4 (via CDN)

- added changes from antonio to pass handling for unknown editor to the master templates

  1. … 2 more files in changeset.
- improve safety of HTML

  1. … 1 more file in changeset.
- provide defaults for Content-Style-Type and Content-Script-Type

  1. … 1 more file in changeset.
- stick in oacs-5-8 to the old praxis and load core.js in oacs-5-9 as body script

- include js function acs_Focus() in head such that core.js can be

added safely as body_script

- remove obsolete handling for document.getElementById()

  1. … 1 more file in changeset.
Merging back to HEAD all changes that happened in branch oacs-5-8 between tags: vg-merge-oacs-5-8-from-20141027 and vg-merge-oacs-5-8-from-20150427

  1. … 520 more files in changeset.
- Moved core.js inclusion to bottom of the page to comply with web best practices

- Placed warnings for other non trivial cases of big js inclusion in the head

See http://www.openacs.org/forums/message-view?message_id=4266252

Merging back to HEAD branch oacs-5-8 (using tag vg-merge-oacs-5-8-from-20141027).

  1. … 2544 more files in changeset.
- allow message keys in javascript

- produce more efficient compiled adp template code (using preferably byte-compiled functions)

  1. … 1 more file in changeset.
- add support for the script async attribute (http://www.w3schools.com/tags/att_script_async.asp)

  1. … 1 more file in changeset.
- use expand operator instead of eval

- simplify logic

- use ::acs::rootdir variable instead of call

- use "![info exists]" instead of "template::util::is_nil" on scalars

  1. … 1 more file in changeset.