Logo
Explore Help
Sign In
fa/breadcrumb-the-shire
1
0
Fork 1
You've already forked breadcrumb-the-shire
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
22966fdacfa2dbedcfdd3f62c161bef38aaeebbc
breadcrumb-the-shire/web/js/pages/admin-docs-index.js

4 lines
152 B
JavaScript
Raw Normal View History

feat(security): add Content-Security-Policy headers with strict script-src Eliminate all inline scripts to enable script-src 'self' without 'unsafe-inline', providing strong XSS mitigation via CSP. Inline script removal: - login.phtml: replace inline APP_ASSET_BASE with data-asset-base attribute + app-boot.js (matching default.phtml pattern) - api-docs: extract SwaggerUI init to js/pages/admin-api-docs-index.js - docs: extract checkbox enablement to js/pages/admin-docs-index.js - language-switcher: replace onchange handler with data-auto-submit attribute + js/components/app-auto-submit.js event listener CSP policy (dev + prod nginx): default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; manifest-src 'self' Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:24:10 +01:00
document
.querySelectorAll('.app-docs-content li > input[type="checkbox"][disabled]')
.forEach((checkbox) => checkbox.removeAttribute('disabled'));
Reference in New Issue Copy Permalink
Powered by Gitea Version: 1.25.3 Page: 49ms Template: 2ms
English
Bahasa Indonesia Deutsch English Español Français Gaeilge Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語 简体中文 繁體中文(台灣) 繁體中文(香港) 한국어
Licenses API