Wapp

Changes On Branch tcltls
Login
Patch Unified Diff

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Changes In Branch tcltls Excluding Merge-Ins

This is equivalent to a diff from 4d00e13e65 to 255f9ed52a

2019-07-30
15:35
Documentation updates. No changes to code. (check-in: c366208c59 user: drh tags: trunk)
15:34
Use "info command" instead of "info proc". Ticket [88807f83a6d9ddfd] (check-in: 359e3e19e9 user: drh tags: trunk)
2019-07-29
19:51
Documentation updates. No changes to code. (Leaf check-in: 255f9ed52a user: drh tags: tcltls)
2019-07-22
12:49
Add support for building wapptclsh with TclTLS. (check-in: dd273e0756 user: drh tags: tcltls)
2019-06-13
14:24
Add a link to the "Simple Live Demos" page to the README.md file. (check-in: 4d00e13e65 user: drh tags: trunk)
2019-04-30
16:56
Add the wapptest.tcl script from SQLite to the list of real-world usage examples. (check-in: b25a28b219 user: drh tags: trunk)

Changes to Makefile. 
1
2
3

4
5
6












7
8
9
10
11
12
13
14
15
16
17

#!/usr/bin/make

CC = gcc -Os -static

TCLLIB = /home/drh/tcl/lib/libtcl8.7.a -lm -lz -lpthread -ldl
TCLINC = /home/drh/tcl/include
TCLSH = tclsh













all: wapptclsh

wapptclsh: wapptclsh.c
	$(CC) -I. -I$(TCLINC) -o $@ wapptclsh.c $(TCLLIB)

wapptclsh.c:	wapptclsh.c.in wapp.tcl wapptclsh.tcl tclsqlite3.c mkccode.tcl
	$(TCLSH) mkccode.tcl wapptclsh.c.in >$@

clean:	
	rm wapptclsh wapptclsh.c




>
|


>
>
>
>
>
>
>
>
>
>
>
>




|





|

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

#!/usr/bin/make

CC = gcc -Os -static
TCLLIB1 = 
TCLLIB2 = /home/drh/tcl/lib/libtcl8.7.a -lm -lz -lpthread -ldl
TCLINC = /home/drh/tcl/include
TCLSH = tclsh

# Comment out the following to disable TLS support.
#
# The tcltls.a library can be build from sources obtained from
#
#      https://core.tcl-lang.org/tcltls/wiki/Download
#
# Use "./configure --disable-shared".  You will also need to install static
# OpenSSL libraries.
#
CC += -DWAPP_ENABLE_TCLTLS
TCLLIB1 = /home/drh/tcl/lib/tcltls.a -lssl -lcrypto

all: wapptclsh

wapptclsh: wapptclsh.c
	$(CC) -I. -I$(TCLINC) -o $@ wapptclsh.c $(TCLLIB1) $(TCLLIB2)

wapptclsh.c:	wapptclsh.c.in wapp.tcl wapptclsh.tcl tclsqlite3.c mkccode.tcl
	$(TCLSH) mkccode.tcl wapptclsh.c.in >$@

clean:	
	rm -f wapptclsh wapptclsh.c
Changes to docs/commands.md. 
118
119
120
121
122
123
124
125








126
127
128
129
130
131
132

  +  <a name='csp'></a>**wapp-content-security-policy** _POLICY_  
     Set the Content Security Policy (hereafter "CSP") to _POLICY_.  The
     default CSP is _default\_src 'self'_, which is very restrictive.  The
     default CSP disallows (a) loading any resources from other origins,
     (b) the use of eval(), and (c) in-line javascript or CSS of any kind.
     Set _POLICY_ to "off" to completely disable the CSP mechanism.  Or
     specify some other policy suitable for the needs of the application.










  +  <a name="debug-env"></a>**wapp-debug-env**  
     This routine returns text that describes all of the Wapp parameters.
     Use it to get a parameter dump for troubleshooting purposes.

  +  **wapp** _TEXT_  
     Add _TEXT_ to the web page output currently under construction.  _TEXT_








|
>
>
>
>
>
>
>
>








118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

  +  <a name='csp'></a>**wapp-content-security-policy** _POLICY_  
     Set the Content Security Policy (hereafter "CSP") to _POLICY_.  The
     default CSP is _default\_src 'self'_, which is very restrictive.  The
     default CSP disallows (a) loading any resources from other origins,
     (b) the use of eval(), and (c) in-line javascript or CSS of any kind.
     Set _POLICY_ to "off" to completely disable the CSP mechanism.  Or
     specify some other policy suitable for the needs of the application.
     <p>The following allows inline images using
     &lt;img src='data:...'&gt; and inline "style='...'" attributes,
     but restricts all other attack vectors and thus seems to be a good
     choice for many applications:
     <blockquote><pre>
     wapp-content-security-policy {
        default-src 'self' data:;
        style-src 'self' 'unsafe-inline';
     }</pre><blockquote>

  +  <a name="debug-env"></a>**wapp-debug-env**  
     This routine returns text that describes all of the Wapp parameters.
     Use it to get a parameter dump for troubleshooting purposes.

  +  **wapp** _TEXT_  
     Add _TEXT_ to the web page output currently under construction.  _TEXT_
Changes to docs/params.md. 
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

clicking on a hyperlink or form on a page that was generated by the
same website.
Manually typing in a URL does not constitute the "same origin".  Hence,
in the "env.tcl" example above the "wapp-allow-xorigin-params" interface
is used so that you can manually extend the URL to add new query parameters.

If query parameters can have side effects, then you should omit the
wapp-allow-xorigin-params call.  Only invoke wapp-allow-xorigin-params
for web pages that only query information.  Do not invoke
wapp-allow-xorigin-params on pages where the parameters can be used
to change server-side state.

<a name='cgidetail'></a>
3.0 CGI Parameter Details [(Quick reference)](quickref.md#cgiparams)
-------------------------

The CGI parameters in Wapp describe the HTTP request that is to be answered
and the execution environment.








|
|
|
<








124
125
126
127
128
129
130
131
132
133

134
135
136
137
138
139
140

clicking on a hyperlink or form on a page that was generated by the
same website.
Manually typing in a URL does not constitute the "same origin".  Hence,
in the "env.tcl" example above the "wapp-allow-xorigin-params" interface
is used so that you can manually extend the URL to add new query parameters.

If query parameters can have side effects, then you should omit the
wapp-allow-xorigin-params call.  The wapp-allow-xorigin-params command
is safe for read-only web pages.  Do not invoke wapp-allow-xorigin-params
on pages where the parameters can be used to change server state.


<a name='cgidetail'></a>
3.0 CGI Parameter Details [(Quick reference)](quickref.md#cgiparams)
-------------------------

The CGI parameters in Wapp describe the HTTP request that is to be answered
and the execution environment.
Changes to wapptclsh.c.in. 
42
43
44
45
46
47
48




49
50
51
52
53
54
55



56
57

*/
static const char zWappTclshInit[] = 
BEGIN_STRING
INCLUDE $ROOT/wapptclsh.tcl
END_STRING
;





/*
** Return the text of the script to run.  Or, return NULL to run an
** interactive shell.
*/
const char *wapptclsh_init_proc(Tcl_Interp *interp){
  Tcl_GlobalEval(interp, zWapp);  /* Load the wapp.tcl extension */
  Tcl_GlobalEval(interp, zWappTclshInit); /* Load the main loop script */



  return Tcl_GetVar(interp, "main_script", TCL_GLOBAL_ONLY);
}








>
>
>
>







>
>
>



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

*/
static const char zWappTclshInit[] = 
BEGIN_STRING
INCLUDE $ROOT/wapptclsh.tcl
END_STRING
;

#ifdef WAPP_ENABLE_TCLTLS
extern int Tls_Init(Tcl_Interp*);
#endif

/*
** Return the text of the script to run.  Or, return NULL to run an
** interactive shell.
*/
const char *wapptclsh_init_proc(Tcl_Interp *interp){
  Tcl_GlobalEval(interp, zWapp);  /* Load the wapp.tcl extension */
  Tcl_GlobalEval(interp, zWappTclshInit); /* Load the main loop script */
#ifdef WAPP_ENABLE_TCLTLS
  Tls_Init(interp);
#endif
  return Tcl_GetVar(interp, "main_script", TCL_GLOBAL_ONLY);
}