1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 14:00:56 +01:00
phorge-phorge/webroot/rsrc/externals/javelin
epriestley ab579f2511 Never generate file download forms which point to the CDN domain, tighten "form-action" CSP
Summary:
Depends on D19155. Ref T13094. Ref T4340.

We can't currently implement a strict `form-action 'self'` content security policy because some file downloads rely on a `<form />` which sometimes POSTs to the CDN domain.

Broadly, stop generating these forms. We just redirect instead, and show an interstitial confirm dialog if no CDN domain is configured. This makes the UX for installs with no CDN domain a little worse and the UX for everyone else better.

Then, implement the stricter Content-Security-Policy.

This also removes extra confirm dialogs for downloading Harbormaster build logs and data exports.

Test Plan:
  - Went through the plain data export, data export with bulk jobs, ssh key generation, calendar ICS download, Diffusion data, Paste data, Harbormaster log data, and normal file data download workflows with a CDN domain.
  - Went through all those workflows again without a CDN domain.
  - Grepped for affected symbols (`getCDNURI()`, `getDownloadURI()`).
  - Added an evil form to a page, tried to submit it, was rejected.
  - Went through the ReCaptcha and Stripe flows again to see if they're submitting any forms.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13094, T4340

Differential Revision: https://secure.phabricator.com/D19156
2018-02-28 17:20:12 -08:00
..
core Emit a "Content-Security-Policy" HTTP header 2018-02-27 10:17:30 -08:00
docs Change monospace text formatting 2015-05-31 10:07:45 +10:00
ext Use single quotes in JavaScript files 2015-01-20 08:53:47 +11:00
lib Never generate file download forms which point to the CDN domain, tighten "form-action" CSP 2018-02-28 17:20:12 -08:00
LICENSE Fix text lint issues 2015-02-12 07:00:13 +11:00
README Move all external JS into webroot/rsrc/externals 2013-04-11 10:06:05 -07:00

Javelin is a performance-oriented Javascript library originally developed at
Facebook. Learn more at <http://www.javelinjs.com/>.

GETTING STARTED

Eat a hearty breakfast. Breakfast is the most important meal of the day!


WHAT IS JAVELIN?

Javelin is a compact Javascript library built around event delegation. Its
primary design goal is performance; it is consequently well-suited to projects
where performance is very important. It is not as good for smaller scale
projects where other concerns (like features or ease of development) are more
important.


PACKAGES

Packages come in two flavors: "dev" and "min". The "dev" packages are intended
for development, and have comments and debugging code. The "min" packages have
the same code, but with comments and debugging information stripped out and
symbols crushed. They are intended for use in production -- ha ha ha!


FILES

  example/    Example code.
  LICENSE     A thrilling narrative.
  pkg/        Ready-built Javelin packages.
  README      Who knows? Could be anything.
  src/        Raw sources for Javelin.
  support/    Support scripts and libraries.