Logo
Explore Help
Sign In
fa/breadcrumb-the-shire
1
0
Fork 1
You've already forked breadcrumb-the-shire
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
2b2f41ebab01acb9284ea50c6c448e5ad8b5ccbf
breadcrumb-the-shire/web/js/pages/admin-docs-index.js

4 lines
152 B
JavaScript
Raw Normal View History

feat(security): add Content-Security-Policy headers with strict script-src Eliminate all inline scripts to enable script-src 'self' without 'unsafe-inline', providing strong XSS mitigation via CSP. Inline script removal: - login.phtml: replace inline APP_ASSET_BASE with data-asset-base attribute + app-boot.js (matching default.phtml pattern) - api-docs: extract SwaggerUI init to js/pages/admin-api-docs-index.js - docs: extract checkbox enablement to js/pages/admin-docs-index.js - language-switcher: replace onchange handler with data-auto-submit attribute + js/components/app-auto-submit.js event listener CSP policy (dev + prod nginx): default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; manifest-src 'self' Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:24:10 +01:00
document
.querySelectorAll('.app-docs-content li > input[type="checkbox"][disabled]')
.forEach((checkbox) => checkbox.removeAttribute('disabled'));
Reference in New Issue Copy Permalink
Powered by Gitea Version: 1.25.3 Page: 54ms Template: 2ms
English
Bahasa Indonesia Deutsch English Español Français Gaeilge Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語 简体中文 繁體中文(台灣) 繁體中文(香港) 한국어
Licenses API