[Bug 5812] New: paper theme uses inline javascript, making web.csp far less effective

mercurial-bugs at mercurial-scm.org mercurial-bugs at mercurial-scm.org
Sat Mar 10 17:29:25 UTC 2018


https://bz.mercurial-scm.org/show_bug.cgi?id=5812

            Bug ID: 5812
           Summary: paper theme uses inline javascript, making web.csp far
                    less effective
           Product: Mercurial
           Version: 4.5.2
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: feature
          Priority: wish
         Component: hgweb
          Assignee: bugzilla at mercurial-scm.org
          Reporter: av6 at dwimlabs.net
                CC: mercurial-devel at mercurial-scm.org

$ grep 'javascript:' -rn mercurial/templates/
paper/filediff.tmpl:68:<div class="sourcefirst linewraptoggle">line wrap: <a
class="linewraplink" href="javascript:toggleLinewrap()">on</a></div>
paper/filerevision.tmpl:68:<div class="sourcefirst linewraptoggle">line wrap:
<a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div>
paper/changeset.tmpl:72:    <a id="diffstatexpand"
href="javascript:toggleDiffstat()">[<tt>+</tt>]</a>
paper/changeset.tmpl:74:      <a
href="javascript:toggleDiffstat()">[<tt>-</tt>]</a>
paper/changeset.tmpl:82:<div class="sourcefirst linewraptoggle">line wrap: <a
class="linewraplink" href="javascript:toggleLinewrap()">on</a></div>

While <script> elements in paper all have nonce when required, these <a>
elements don't, which means that either the functionality they enable doesn't
work or CSP needs "script-src: unsafe-inline".

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Mercurial-devel mailing list