diff options
Diffstat (limited to '')
| -rw-r--r-- | internal/template/templates/common/layout.html | 4 | ||||
| -rw-r--r-- | internal/ui/static/js/app.js | 2 | ||||
| -rw-r--r-- | internal/ui/static/js/bootstrap.js | 2 | ||||
| -rw-r--r-- | internal/ui/static/js/tt.js | 15 | ||||
| -rw-r--r-- | internal/ui/static/static.go | 1 |
5 files changed, 20 insertions, 4 deletions
diff --git a/internal/template/templates/common/layout.html b/internal/template/templates/common/layout.html index f456c058..19019c1e 100644 --- a/internal/template/templates/common/layout.html +++ b/internal/template/templates/common/layout.html @@ -36,10 +36,10 @@ {{ if and .user .user.Stylesheet }} {{ $stylesheetNonce := nonce }} - <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-{{ $stylesheetNonce }}'"> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-{{ $stylesheetNonce }}'; require-trusted-types-for 'script'; trusted-types ttpolicy;"> <style nonce="{{ $stylesheetNonce }}">{{ .user.Stylesheet | safeCSS }}</style> {{ else }} - <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *"> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; require-trusted-types-for 'script'; trusted-types ttpolicy;"> {{ end }} <script src="{{ route "javascript" "name" "app" "checksum" .app_js_checksum }}" defer></script> diff --git a/internal/ui/static/js/app.js b/internal/ui/static/js/app.js index 00083b20..79ffb4b5 100644 --- a/internal/ui/static/js/app.js +++ b/internal/ui/static/js/app.js @@ -352,7 +352,7 @@ function handleFetchOriginalContent() { response.json().then((data) => { if (data.hasOwnProperty("content") && data.hasOwnProperty("reading_time")) { - document.querySelector(".entry-content").innerHTML = data.content; + document.querySelector(".entry-content").innerHTML = ttpolicy.createHTML(data.content); const entryReadingtimeElement = document.querySelector(".entry-reading-time"); if (entryReadingtimeElement) { entryReadingtimeElement.textContent = data.reading_time; diff --git a/internal/ui/static/js/bootstrap.js b/internal/ui/static/js/bootstrap.js index c83704c3..44d6e716 100644 --- a/internal/ui/static/js/bootstrap.js +++ b/internal/ui/static/js/bootstrap.js @@ -129,7 +129,7 @@ document.addEventListener("DOMContentLoaded", () => { if ("serviceWorker" in navigator) { const scriptElement = document.getElementById("service-worker-script"); if (scriptElement) { - navigator.serviceWorker.register(scriptElement.src); + navigator.serviceWorker.register(ttpolicy.createScriptURL(scriptElement.src)); } } diff --git a/internal/ui/static/js/tt.js b/internal/ui/static/js/tt.js new file mode 100644 index 00000000..f42cc47a --- /dev/null +++ b/internal/ui/static/js/tt.js @@ -0,0 +1,15 @@ +let ttpolicy; +if (window.trustedTypes && trustedTypes.createPolicy) { + //TODO: use an allow-list for `createScriptURL` + if (!ttpolicy) { + ttpolicy = trustedTypes.createPolicy('ttpolicy', { + createScriptURL: src => src, + createHTML: html => html, + }); + } +} else { + ttpolicy = { + createScriptURL: src => src, + createHTML: html => html, + }; +} diff --git a/internal/ui/static/static.go b/internal/ui/static/static.go index fd653b81..3ddff18d 100644 --- a/internal/ui/static/static.go +++ b/internal/ui/static/static.go @@ -113,6 +113,7 @@ func GenerateStylesheetsBundles() error { func GenerateJavascriptBundles() error { var bundles = map[string][]string{ "app": { + "js/tt.js", // has to be first "js/dom_helper.js", "js/touch_handler.js", "js/keyboard_handler.js", |