Version bump

phax · Feb 26, 2025 · 1d70cef · 1d70cef
1 parent f63e444
commit 1d70cef
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 76 deletions.
diff --git a/...-smp-webapp/src/main/java/com/helger/phoss/smp/servlet/SMPApplicationXServletHandler.java b/...-smp-webapp/src/main/java/com/helger/phoss/smp/servlet/SMPApplicationXServletHandler.java
@@ -19,10 +19,11 @@
 import java.io.IOException;
 
 import com.helger.commons.http.CHttpHeader;
-import com.helger.http.csp.CSP2Directive;
-import com.helger.http.csp.CSP2Policy;
-import com.helger.http.csp.CSP2SourceList;
+import com.helger.http.csp.CSPDirective;
+import com.helger.http.csp.CSPPolicy;
+import com.helger.http.csp.CSPSourceList;
 import com.helger.phoss.smp.app.SMPWebAppConfiguration;
+import com.helger.photon.app.csrf.CSRFSessionManager;
 import com.helger.photon.core.servlet.AbstractApplicationXServletHandler;
 import com.helger.servlet.response.UnifiedResponse;
 import com.helger.web.scope.IRequestWebScopeWithoutResponse;
@@ -46,26 +47,33 @@ public void handleRequest (final IRequestWebScopeWithoutResponse aRequestScope,
       final boolean bReportingOnly = SMPWebAppConfiguration.isCSPReportingOnly ();
       final boolean bReporting = bReportingOnly || SMPWebAppConfiguration.isCSPReportingEnabled ();
 
-      final CSP2SourceList aScriptSrcList = new CSP2SourceList ().addKeywordSelf ().addKeywordUnsafeInline ();
-      final CSP2SourceList aStyleSrcList = new CSP2SourceList ().addKeywordSelf ().addKeywordUnsafeInline ();
+      final String sNonce = CSRFSessionManager.getInstance ().getNonce ();
+      final CSPSourceList aScriptSrcList = new CSPSourceList ().addKeywordSelf ()
+                                                               .addNonce (sNonce)
+                                                               .addKeywordReportSample ();
+      final CSPSourceList aStyleSrcList = new CSPSourceList ().addKeywordSelf ()
+                                                              .addNonce (sNonce)
+                                                              .addKeywordReportSample ();
+      final CSPSourceList aStyleSrcAttrList = new CSPSourceList ().addKeywordSelf ().addKeywordUnsafeInline ();
       // Allow data images for Bootstrap 4
-      final CSP2SourceList aImgSrcList = new CSP2SourceList ().addKeywordSelf ().addHost ("data:");
-      final CSP2SourceList aConnectSrcList = new CSP2SourceList ().addKeywordSelf ();
-      final CSP2SourceList aFontSrcList = new CSP2SourceList ().addKeywordSelf ();
+      final CSPSourceList aImgSrcList = new CSPSourceList ().addKeywordSelf ().addHost ("data:");
+      final CSPSourceList aConnectSrcList = new CSPSourceList ().addKeywordSelf ();
+      final CSPSourceList aFontSrcList = new CSPSourceList ().addKeywordSelf ();
 
-      final CSP2Policy aPolicy = new CSP2Policy ();
-      aPolicy.addDirective (CSP2Directive.createDefaultSrc (new CSP2SourceList ().addKeywordNone ()))
-             .addDirective (CSP2Directive.createScriptSrc (aScriptSrcList))
-             .addDirective (CSP2Directive.createStyleSrc (aStyleSrcList))
-             .addDirective (CSP2Directive.createImgSrc (aImgSrcList))
-             .addDirective (CSP2Directive.createConnectSrc (aConnectSrcList))
-             .addDirective (CSP2Directive.createFontSrc (aFontSrcList));
+      final CSPPolicy aPolicy = new CSPPolicy ();
+      aPolicy.addDirective (CSPDirective.createDefaultSrc (new CSPSourceList ().addKeywordNone ()))
+             .addDirective (CSPDirective.createScriptSrc (aScriptSrcList))
+             .addDirective (CSPDirective.createStyleSrc (aStyleSrcList))
+             .addDirective (CSPDirective.createStyleSrcAttr (aStyleSrcAttrList))
+             .addDirective (CSPDirective.createImgSrc (aImgSrcList))
+             .addDirective (CSPDirective.createConnectSrc (aConnectSrcList))
+             .addDirective (CSPDirective.createFontSrc (aFontSrcList));
 
       if (bReporting)
       {
         // Report only if enabled - avoid spaming
-        aPolicy.addDirective (CSP2Directive.createReportURI (aRequestScope.getContextPath () +
-                                                             SMPCSPReportingServlet.SERVLET_DEFAULT_PATH));
+        aPolicy.addDirective (CSPDirective.createReportURI (aRequestScope.getContextPath () +
+                                                            SMPCSPReportingServlet.SERVLET_DEFAULT_PATH));
       }
 
       // Default

diff --git a/phoss-smp-webapp/src/main/java/com/helger/phoss/smp/ui/SMPCommonUI.java b/phoss-smp-webapp/src/main/java/com/helger/phoss/smp/ui/SMPCommonUI.java
@@ -54,7 +54,7 @@
 import com.helger.html.jscode.JSAnonymousFunction;
 import com.helger.html.jscode.JSAssocArray;
 import com.helger.html.jscode.JSPackage;
-import com.helger.html.jscode.JSVar;
+import com.helger.html.jscode.JSParam;
 import com.helger.html.jscode.html.JSHtml;
 import com.helger.peppolid.peppol.doctype.IPeppolDocumentTypeIdentifierParts;
 import com.helger.phoss.smp.CSMPServer;
@@ -207,7 +207,7 @@ public static BootstrapForm createViewLoginForm (@Nonnull final ILayoutExecution
     {
       final JSPackage aOnClick = new JSPackage ();
       final JSAnonymousFunction aJSSuccess = new JSAnonymousFunction ();
-      final JSVar aJSData = aJSSuccess.param ("data");
+      final JSParam aJSData = aJSSuccess.param ("data");
       aJSSuccess.body ()
                 ._if (aJSData.ref (AjaxExecutorPublicLogin.JSON_LOGGEDIN),
                       JSHtml.windowLocationReload (),