[Bug 5812] New: paper theme uses inline javascript, making web.csp far less effective
mercurial-bugs at mercurial-scm.org
mercurial-bugs at mercurial-scm.org
Sat Mar 10 17:29:25 UTC 2018
https://bz.mercurial-scm.org/show_bug.cgi?id=5812
Bug ID: 5812
Summary: paper theme uses inline javascript, making web.csp far
less effective
Product: Mercurial
Version: 4.5.2
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: feature
Priority: wish
Component: hgweb
Assignee: bugzilla at mercurial-scm.org
Reporter: av6 at dwimlabs.net
CC: mercurial-devel at mercurial-scm.org
$ grep 'javascript:' -rn mercurial/templates/
paper/filediff.tmpl:68:<div class="sourcefirst linewraptoggle">line wrap: <a
class="linewraplink" href="javascript:toggleLinewrap()">on</a></div>
paper/filerevision.tmpl:68:<div class="sourcefirst linewraptoggle">line wrap:
<a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div>
paper/changeset.tmpl:72: <a id="diffstatexpand"
href="javascript:toggleDiffstat()">[<tt>+</tt>]</a>
paper/changeset.tmpl:74: <a
href="javascript:toggleDiffstat()">[<tt>-</tt>]</a>
paper/changeset.tmpl:82:<div class="sourcefirst linewraptoggle">line wrap: <a
class="linewraplink" href="javascript:toggleLinewrap()">on</a></div>
While <script> elements in paper all have nonce when required, these <a>
elements don't, which means that either the functionality they enable doesn't
work or CSP needs "script-src: unsafe-inline".
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Mercurial-devel
mailing list