1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-24 06:20:56 +01:00
phorge-phorge/webroot/rsrc/externals/javelin/lib
epriestley ab579f2511 Never generate file download forms which point to the CDN domain, tighten "form-action" CSP
Summary:
Depends on D19155. Ref T13094. Ref T4340.

We can't currently implement a strict `form-action 'self'` content security policy because some file downloads rely on a `<form />` which sometimes POSTs to the CDN domain.

Broadly, stop generating these forms. We just redirect instead, and show an interstitial confirm dialog if no CDN domain is configured. This makes the UX for installs with no CDN domain a little worse and the UX for everyone else better.

Then, implement the stricter Content-Security-Policy.

This also removes extra confirm dialogs for downloading Harbormaster build logs and data exports.

Test Plan:
  - Went through the plain data export, data export with bulk jobs, ssh key generation, calendar ICS download, Diffusion data, Paste data, Harbormaster log data, and normal file data download workflows with a CDN domain.
  - Went through all those workflows again without a CDN domain.
  - Grepped for affected symbols (`getCDNURI()`, `getDownloadURI()`).
  - Added an evil form to a page, tried to submit it, was rejected.
  - Went through the ReCaptcha and Stripe flows again to see if they're submitting any forms.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13094, T4340

Differential Revision: https://secure.phabricator.com/D19156
2018-02-28 17:20:12 -08:00
..
__tests__ Remove an unused variable 2015-01-20 21:25:40 +11:00
control Make project token sorting and normalization a little less hacky 2016-11-17 08:02:23 -08:00
behavior.js Remove @group annotations 2014-07-10 08:12:48 +10:00
Cookie.js Fix another undefined variable 2015-01-20 08:55:04 +11:00
DOM.js Move the "select a line range" inline code to DiffInline 2017-05-17 08:41:26 -07:00
History.js Fix an issue with returning to a the initial page in Quicksand 2015-03-28 07:38:14 -07:00
JSON.js Remove @group annotations 2014-07-10 08:12:48 +10:00
Leader.js Decrease JX.Leader lease duration from 16,000ms to 1,500ms and usurp more aggressively 2017-04-17 15:48:47 -07:00
Mask.js Remove @group annotations 2014-07-10 08:12:48 +10:00
Quicksand.js When logged-out users hit a "Login Required" dialog, try to choose a better "next" URI 2015-12-17 08:30:03 -08:00
Request.js Fix various lint issues in rJX 2015-01-14 07:59:56 +11:00
Resource.js Fix various lint issues in rJX 2015-01-14 07:59:56 +11:00
Routable.js Provide a global router for Ajax requests 2014-05-05 10:57:42 -07:00
Router.js Provide a global router for Ajax requests 2014-05-05 10:57:42 -07:00
Scrollbar.js Hide the Differential scroll objective list on trackpad systems 2017-05-20 07:56:21 -07:00
Sound.js Add support for playing sounds 2015-03-10 14:20:00 -07:00
URI.js When logged-out users hit a "Login Required" dialog, try to choose a better "next" URI 2015-12-17 08:30:03 -08:00
Vector.js Fix anchor-clicking scroll positions 2015-01-28 08:26:10 -08:00
WebSocket.js When disconnected from Aphlict after a successful connection, retry the first reconnect right away 2017-04-17 15:53:29 -07:00
Workflow.js Never generate file download forms which point to the CDN domain, tighten "form-action" CSP 2018-02-28 17:20:12 -08:00