Logo
Explore Help
Sign In
fa/breadcrumb-the-shire
1
0
Fork 1
You've already forked breadcrumb-the-shire
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
312d43d9d9233b5e362c19b478f78c8a49b4046f
breadcrumb-the-shire/web/js/pages/admin-docs-index.js

4 lines
152 B
JavaScript
Raw Normal View History

feat(security): add Content-Security-Policy headers with strict script-src Eliminate all inline scripts to enable script-src 'self' without 'unsafe-inline', providing strong XSS mitigation via CSP. Inline script removal: - login.phtml: replace inline APP_ASSET_BASE with data-asset-base attribute + app-boot.js (matching default.phtml pattern) - api-docs: extract SwaggerUI init to js/pages/admin-api-docs-index.js - docs: extract checkbox enablement to js/pages/admin-docs-index.js - language-switcher: replace onchange handler with data-auto-submit attribute + js/components/app-auto-submit.js event listener CSP policy (dev + prod nginx): default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; manifest-src 'self' Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:24:10 +01:00
document
.querySelectorAll('.app-docs-content li > input[type="checkbox"][disabled]')
.forEach((checkbox) => checkbox.removeAttribute('disabled'));
Reference in New Issue Copy Permalink
Powered by Gitea Version: 1.25.3 Page: 54ms Template: 3ms
English
Bahasa Indonesia Deutsch English Español Français Gaeilge Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語 简体中文 繁體中文(台灣) 繁體中文(香港) 한국어
Licenses API