Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Add a restrictive default Content Security Policy and provide the wapp-content-security-policy command to change it if necessary. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
4022bf292df02230e65605b727b5e0b9 |
| User & Date: | drh 2018-01-31 00:19:54.688 |
Context
|
2018-01-31
| ||
| 01:09 | Get automatic compression working for CGI. (check-in: 9aa39ada4d user: drh tags: trunk) | |
| 00:19 | Add a restrictive default Content Security Policy and provide the wapp-content-security-policy command to change it if necessary. (check-in: 4022bf292d user: drh tags: trunk) | |
|
2018-01-30
| ||
| 23:46 | Add wapp-allow-xorigin-params and SAME_ORIGIN. Update the documentation accordingly. (check-in: e82121be4d user: drh tags: trunk) | |
Changes
Changes to README.md.
| ︙ | ︙ | |||
362 363 364 365 366 367 368 369 370 371 372 373 374 375 |
Examine all TCL procedures in the application and report errors about
unsafe usage of "wapp".
+ **wapp-cache-control** _CONTROL_
The _CONTROL_ argument should be one of "no-cache", "max-age=N", or
"private,max-age=N", where N is an integer number of seconds.
+ **wapp-debug-env**
This routine returns text that describes all of the Wapp parameters.
Use it to get a parameter dump for troubleshooting purposes.
The following additional interfaces are envisioned, but are not yet
implemented:
| > > > > > > > > | 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 |
Examine all TCL procedures in the application and report errors about
unsafe usage of "wapp".
+ **wapp-cache-control** _CONTROL_
The _CONTROL_ argument should be one of "no-cache", "max-age=N", or
"private,max-age=N", where N is an integer number of seconds.
+ **wapp-content-security-policy** _POLICY_
Set the Content Security Policy (hereafter "CSP") to _POLICY_. The
default CSP is "default-src 'self'", which is very restriction. The
default CSP disallows (a) loading any resources from other origins,
(b) the use of eval(), and (c) in-line javascript or CSS of any kind.
Set _POLICY_ to "off" to completely disable the CSP mechanism. Or
specify some other policy suitable for the needs of the application.
+ **wapp-debug-env**
This routine returns text that describes all of the Wapp parameters.
Use it to get a parameter dump for troubleshooting purposes.
The following additional interfaces are envisioned, but are not yet
implemented:
|
| ︙ | ︙ | |||
387 388 389 390 391 392 393 |
+ **wapp-send-file** _FILENAME_
Make the content of the file _FILENAME_ be the HTTP reply.
+ **wapp-send-query** _DB_ _SQL_
Run the SQLite query _SQL_ on the _DB_ database connection and make the
HTTP reply be the value of the first column of the first row in the result.
| < < < < < < | 395 396 397 398 399 400 401 402 403 404 405 406 407 408 |
+ **wapp-send-file** _FILENAME_
Make the content of the file _FILENAME_ be the HTTP reply.
+ **wapp-send-query** _DB_ _SQL_
Run the SQLite query _SQL_ on the _DB_ database connection and make the
HTTP reply be the value of the first column of the first row in the result.
+ **wapp-debug-port** _PORT_
For debugging use only: open a listening TCP socket on _PORT_ and run
an interactive TCL shell on connections to that port. This allows for
interactive debugging of a running instance of the Wapp server. This
command is a no-op for short-lived CGI programs, obviously. Also, this
command should only be used during debugging, as otherwise it introduces
a severe security vulnerability into the application.
|
| ︙ | ︙ |
Changes to test01.tcl.
| ︙ | ︙ | |||
17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
wapp "Environment with crazy URL</a>\n"
wapp-trim {
<li><p><a href='%html($B)/lint'>Lint</a>
<li><p><a href='%html($B)/errorout'>Deliberate error</a>
<li><p><a href='%html($B)/encodings'>Encoding checks</a>
<li><p><a href='%html($B)/redirect'>Redirect to env</a>
<li><p><a href='globals'>TCL global variables</a>
}
set x "%string(...)"
set v abc'def\"ghi\\jkl
wapp-subst {<li>%html($x) substitution test: "%string($v)"\n}
wapp "</ol>"
if {[dict exists $wapp showenv]} {
wapp-page-env
| > | 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
wapp "Environment with crazy URL</a>\n"
wapp-trim {
<li><p><a href='%html($B)/lint'>Lint</a>
<li><p><a href='%html($B)/errorout'>Deliberate error</a>
<li><p><a href='%html($B)/encodings'>Encoding checks</a>
<li><p><a href='%html($B)/redirect'>Redirect to env</a>
<li><p><a href='globals'>TCL global variables</a>
<li><p><a href='csptest'>Content Security Policy</a>
}
set x "%string(...)"
set v abc'def\"ghi\\jkl
wapp-subst {<li>%html($x) substitution test: "%string($v)"\n}
wapp "</ol>"
if {[dict exists $wapp showenv]} {
wapp-page-env
|
| ︙ | ︙ | |||
141 142 143 144 145 146 147 148 149 |
}
# Deliberately generate an error to test error handling.
proc wapp-page-errorout {} {
wapp "<h1>Intentially generate an error</h1>\n"
wapp "<p>This test should be ignored by the error handler\n"
wapp $noSuchVariable
wapp "<p>After the error\n"
}
wapp-start $::argv
| > > > > > > > > > > > > > > | 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 |
}
# Deliberately generate an error to test error handling.
proc wapp-page-errorout {} {
wapp "<h1>Intentially generate an error</h1>\n"
wapp "<p>This test should be ignored by the error handler\n"
wapp $noSuchVariable
wapp "<p>After the error\n"
}
proc wapp-page-csptest {} {
wapp-allow-xorigin-params
if {[wapp-param-exists csp]} {
wapp-content-security-policy [wapp-param csp]
}
wapp-trim {
<h1>Content Security Policy Test Page</h1>
<p> There is a <script> at the bottom of
this page that will invoke an alert(). The
script will be disabled by the default CSP.
<p>Use the csp= query parameter to change CSP.
<script>alert("This is the alert");</script>
}
}
wapp-start $::argv
|
Changes to wapp.tcl.
| ︙ | ︙ | |||
267 268 269 270 271 272 273 274 275 276 277 278 279 280 |
#
proc wapp-allow-xorigin-params {} {
global wapp
if {![dict exists $wapp .qp] && ![dict get $wapp SAME_ORIGIN]} {
wappInt-decode-query-params
}
}
# Examine the bodys of all procedures in this program looking for
# unsafe calls to "wapp". Return a text string containing warnings.
# Return an empty string if all is ok.
#
# This routine is advisory only. It misses some constructs that are
# dangerous and flags others that are safe.
| > > > > > > > > > > > > > > > > > | 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 |
#
proc wapp-allow-xorigin-params {} {
global wapp
if {![dict exists $wapp .qp] && ![dict get $wapp SAME_ORIGIN]} {
wappInt-decode-query-params
}
}
# Set the content-security-policy.
#
# The default content-security-policy is very strict: "default-src 'self'"
# The default policy prohibits the use of in-line javascript or CSS.
#
# Provide an alternative CSP as the argument. Or use "off" to disable
# the CSP completely.
#
proc wapp-content-security-policy {val} {
global wapp
if {$val=="off"} {
dict unset wapp .csp
} else {
dict set wapp .csp $val
}
}
# Examine the bodys of all procedures in this program looking for
# unsafe calls to "wapp". Return a text string containing warnings.
# Return an empty string if all is ok.
#
# This routine is advisory only. It misses some constructs that are
# dangerous and flags others that are safe.
|
| ︙ | ︙ | |||
599 600 601 602 603 604 605 606 607 608 609 610 611 612 |
# invoking [error].
#
proc wappInt-handle-request {chan useCgi} {
global wapp
dict set wapp .reply {}
dict set wapp .mimetype {text/html; charset=utf-8}
dict set wapp .reply-code {200 Ok}
# Set up additional CGI environment values
#
if {![dict exists $wapp HTTP_HOST]} {
dict set wapp BASE_URL {}
} elseif {[dict exists $wapp HTTPS]} {
dict set wapp BASE_URL https://[dict get $wapp HTTP_HOST]
| > | 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 |
# invoking [error].
#
proc wappInt-handle-request {chan useCgi} {
global wapp
dict set wapp .reply {}
dict set wapp .mimetype {text/html; charset=utf-8}
dict set wapp .reply-code {200 Ok}
dict set wapp .csp {default-src 'self'}
# Set up additional CGI environment values
#
if {![dict exists $wapp HTTP_HOST]} {
dict set wapp BASE_URL {}
} elseif {[dict exists $wapp HTTPS]} {
dict set wapp BASE_URL https://[dict get $wapp HTTP_HOST]
|
| ︙ | ︙ | |||
700 701 702 703 704 705 706 707 708 709 710 711 712 713 |
puts $chan "Connection: close\r"
}
if {[dict exists $wapp .reply-extra]} {
foreach {name value} [dict get $wapp .reply-extra] {
puts $chan "$name: $value\r"
}
}
set mimetype [dict get $wapp .mimetype]
puts $chan "Content-Type: $mimetype\r"
if {[dict exists $wapp .new-cookies]} {
foreach {nm val} [dict get $wapp .new-cookies] {
if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} {
if {$val==""} {
puts $chan "Set-Cookie: $nm=; HttpOnly; Path=/; Max-Age=1\r"
| > > > | 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 |
puts $chan "Connection: close\r"
}
if {[dict exists $wapp .reply-extra]} {
foreach {name value} [dict get $wapp .reply-extra] {
puts $chan "$name: $value\r"
}
}
if {[dict exists $wapp .csp]} {
puts $chan "Content-Security-Policy: [dict get $wapp .csp]\r"
}
set mimetype [dict get $wapp .mimetype]
puts $chan "Content-Type: $mimetype\r"
if {[dict exists $wapp .new-cookies]} {
foreach {nm val} [dict get $wapp .new-cookies] {
if {[regexp {^[a-z][-a-z0-9_]*$} $nm]} {
if {$val==""} {
puts $chan "Set-Cookie: $nm=; HttpOnly; Path=/; Max-Age=1\r"
|
| ︙ | ︙ |