commit e815971903ae69d51001cedc5fc4d8a7071047d7
parent 569f5add22c759f3cd82e16741aab628b51bcdd8
Author: Jan Dankert <devnull@localhost>
Date: Mon, 1 Jan 2018 22:13:16 +0100
Theme-CSS nicht als Inline-CSS, sondern vom Server laden. Dadurch können Inline-Styles jetzt per Content-Security-Policy verboten werden.
Diffstat:
3 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/modules/cms-core/action/IndexAction.class.php b/modules/cms-core/action/IndexAction.class.php
@@ -115,7 +115,7 @@ class IndexAction extends Action
$jsFiles = $this->getJSFiles();
$cssFiles = $this->getCSSFiles();
- $themeCss = $this->getThemeCSS();
+ //$themeCss = $this->getThemeCSS();
// HTML-Datei direkt einbinden.
require('modules/cms-ui/themes/default/layout/index.php');
@@ -235,7 +235,18 @@ class IndexAction extends Action
}
-
+ public function themestyleView()
+ {
+ $themeLessFile = OR_THEMES_DIR . 'default/css/openrat-theme.less';
+ $this->lastModified(filemtime($themeLessFile));
+
+ header('Content-Type: text/css');
+ echo $this->getThemeCSS();
+ exit;
+ }
+
+
+
private function getThemeCSS()
{
// Je Theme die Theme-CSS-Datei ausgeben.
diff --git a/modules/cms-ui/UI.class.php b/modules/cms-ui/UI.class.php
@@ -44,11 +44,12 @@ class UI
// Content-Security-Policy
//if (config('security','content-security-policy')) // config is not loaded yet.
- $csp = array('default-src \'none\'',
+ $contentSecurityPolicyEntries = array(
+ 'default-src \'none\'',
'script-src \'self\' \'unsafe-inline\'',
// No <object>, <embed> or <applet>.
'object-src \'none\'',
- 'style-src \'self\' \'unsafe-inline\'',
+ 'style-src \'self\'',
'img-src \'self\'',
// No <audio>, <video> elements
'media-src \'none\'',
@@ -57,7 +58,7 @@ class UI
'font-src \'none\'',
// Ajax-Calls
'connect-src \'self\'');
- header('Content-Security-Policy: '.implode(';',$csp));
+ header('Content-Security-Policy: '.implode(';',$contentSecurityPolicyEntries));
$data = $dispatcher->doAction();
@@ -77,12 +78,12 @@ class UI
Logger::warn("Object not found: " . $e->__toString()); // Nur Debug, da dies bei gelöschten Objekten vorkommen kann.
Http::noContent();
} catch (OpenRatException $e) {
- throw new LogicException(lang($e->key), $e->__toString());
+ throw new LogicException(lang($e->key),0, $e);
} catch (SecurityException $e) {
Logger::info($e->getMessage());
Http::notAuthorized("You are not allowed to execute this action.");
} catch (Exception $e) {
- throw new LogicException("Internal CMS error", $e->__toString());
+ throw new LogicException("Internal CMS error: ".$e->__toString(),0, $e);
}
}
diff --git a/modules/cms-ui/themes/default/layout/index.php b/modules/cms-ui/themes/default/layout/index.php
@@ -30,9 +30,7 @@
<link rel="stylesheet" type="text/css" href="<?php echo OR_HTML_MODULES_DIR . 'editor/codemirror/lib/codemirror.css' ?>" />
<?php foreach( $cssFiles as $cssFile) { ?> <link rel="stylesheet" type="text/css" href="<?php echo $cssFile ?>" />
<?php } ?>
- <style type="text/css">
- <?php echo $themeCss ?>
- </style>
+ <link rel="stylesheet" type="text/css" href="<?php echo Html::url('index','themestyle') ?>" />
</head>
<?php
