Index: Makefile ================================================================== --- Makefile +++ Makefile @@ -1,17 +1,30 @@ #!/usr/bin/make CC = gcc -Os -static -TCLLIB = /home/drh/tcl/lib/libtcl8.7.a -lm -lz -lpthread -ldl +TCLLIB1 = +TCLLIB2 = /home/drh/tcl/lib/libtcl8.7.a -lm -lz -lpthread -ldl TCLINC = /home/drh/tcl/include TCLSH = tclsh + +# Comment out the following to disable TLS support. +# +# The tcltls.a library can be build from sources obtained from +# +# https://core.tcl-lang.org/tcltls/wiki/Download +# +# Use "./configure --disable-shared". You will also need to install static +# OpenSSL libraries. +# +CC += -DWAPP_ENABLE_TCLTLS +TCLLIB1 = /home/drh/tcl/lib/tcltls.a -lssl -lcrypto all: wapptclsh wapptclsh: wapptclsh.c - $(CC) -I. -I$(TCLINC) -o $@ wapptclsh.c $(TCLLIB) + $(CC) -I. -I$(TCLINC) -o $@ wapptclsh.c $(TCLLIB1) $(TCLLIB2) wapptclsh.c: wapptclsh.c.in wapp.tcl wapptclsh.tcl tclsqlite3.c mkccode.tcl $(TCLSH) mkccode.tcl wapptclsh.c.in >$@ clean: - rm wapptclsh wapptclsh.c + rm -f wapptclsh wapptclsh.c Index: docs/commands.md ================================================================== --- docs/commands.md +++ docs/commands.md @@ -120,11 +120,19 @@ default CSP is _default\_src 'self'_, which is very restrictive. The default CSP disallows (a) loading any resources from other origins, (b) the use of eval(), and (c) in-line javascript or CSS of any kind. Set _POLICY_ to "off" to completely disable the CSP mechanism. Or specify some other policy suitable for the needs of the application. - +

The following allows inline images using + <img src='data:...'> and inline "style='...'" attributes, + but restricts all other attack vectors and thus seems to be a good + choice for many applications: + 

+     wapp-content-security-policy {
+        default-src 'self' data:;
+        style-src 'self' 'unsafe-inline';
+     }
+ **wapp-debug-env** This routine returns text that describes all of the Wapp parameters. Use it to get a parameter dump for troubleshooting purposes. Index: docs/params.md ================================================================== --- docs/params.md +++ docs/params.md @@ -126,14 +126,13 @@ Manually typing in a URL does not constitute the "same origin". Hence, in the "env.tcl" example above the "wapp-allow-xorigin-params" interface is used so that you can manually extend the URL to add new query parameters. If query parameters can have side effects, then you should omit the -wapp-allow-xorigin-params call. Only invoke wapp-allow-xorigin-params -for web pages that only query information. Do not invoke -wapp-allow-xorigin-params on pages where the parameters can be used -to change server-side state. +wapp-allow-xorigin-params call. The wapp-allow-xorigin-params command +is safe for read-only web pages. Do not invoke wapp-allow-xorigin-params +on pages where the parameters can be used to change server state. 3.0 CGI Parameter Details [(Quick reference)](quickref.md#cgiparams) ------------------------- Index: wapptclsh.c.in ================================================================== --- wapptclsh.c.in +++ wapptclsh.c.in @@ -44,14 +44,21 @@ BEGIN_STRING INCLUDE $ROOT/wapptclsh.tcl END_STRING ; +#ifdef WAPP_ENABLE_TCLTLS +extern int Tls_Init(Tcl_Interp*); +#endif + /* ** Return the text of the script to run. Or, return NULL to run an ** interactive shell. */ const char *wapptclsh_init_proc(Tcl_Interp *interp){ Tcl_GlobalEval(interp, zWapp); /* Load the wapp.tcl extension */ Tcl_GlobalEval(interp, zWappTclshInit); /* Load the main loop script */ +#ifdef WAPP_ENABLE_TCLTLS + Tls_Init(interp); +#endif return Tcl_GetVar(interp, "main_script", TCL_GLOBAL_ONLY); }