* Mon Dec 30 2024 Jean-Philippe Pialasse <jpp@koozali.org> 2.8.0-42.sme

-  add CSP support [SME: 9566]

e-smith-manager.spec

@@ -4,7 +4,7 @@ Summary: e-smith manager navigation module
 %define name e-smith-manager
 Name: %{name}
 %define version 2.8.0
-%define release 41
+%define release 42
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -24,6 +24,9 @@ Provides: server-manager
 AutoReqProv: no
 
 %changelog
+* Mon Dec 30 2024 Jean-Philippe Pialasse <jpp@koozali.org> 2.8.0-42.sme
+-  add CSP support [SME: 9566]
+
 * Tue Mar 26 2024 Jean-Philippe Pialasse <jpp@koozali.org> 2.8.0-41.sme
 - fix systemd service file [SME: 12556]
 

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/27ManagerProxyPass

@@ -31,6 +31,14 @@
         } else {
             $OUT .= "        Require ip $localAccess\n";
         }
+
+        # any server-manager script or style added in line should be hashed and added here to run in a modern browser
+        $OUT .= "                   Header set Content-Security-Policy  \"script-src 'self' https://$virtualHost 'unsafe-hashes' "
+        ." 'sha256-bu1Wbll/1+gfjCxVn9czXKc7IhIJRjJgNFdNltH+09c=' 'sha256-MQmv1rIdRtr7sC3167eTWkTNMSq5QzWRPxhOzKUtvKg=' 'sha256-DuDis7gGgnegJBjroiLOJwY+DvfilQsYswIXb6lNE8c=' 'sha256-FengF4xZO+fXC/zBgGGYYPLtc95CEZAk+vS7A9OR64o='  ;"
+        ." style-src 'self' https://$virtualHost 'unsafe-hashes' "
+        ." 'sha256-ABT3Vs4q5dwUnsKaFzA38LnsL3426dj6CkNKRofyqjA=' 'sha256-upqzRUpu+M2pCK19HHLg5oUeQnpEXij9kojuDNdJnGc=' 'sha256-sa1JolVbZz72+sa0pOWp/LBIoZfF9P1N8Gzy5u3C3Qc=' 'sha256-q9xrwNUn7ieRndtLNP/uNCEBKXjzTzvZv1fddtmMK9w=' ;"
+        ." script-src-attr 'self' https://$virtualHost 'unsafe-hashes' 'sha256-QgFUvJuzASZ+WbF57Vn8eQoWvuBJ78nF7YMraPzQVvg=' \"\n"; 
+
         $OUT .= "    </Location>\n";
     }
 }

root/etc/e-smith/web/functions/navigation

@@ -288,6 +288,18 @@ sub showNavigation ($)
     // End script hiding -->
     </script>
     ";
+   print '    
+   <script language="JavaScript" type="text/javascript">
+   <!-- Hide script
+        window.onload = function(){
+          var menuitems = document.getElementsByClassName("item");
+	  var i = menuitems.length;
+	  while (i--)
+	    menuitems[i].addEventListener("click", function(){swapClasses(this.id)});
+	};  
+        // End script hiding -->
+    </script>
+    ';
 
     foreach my $h (sort {
 	 ($nav{$a}{'WEIGHT'}/$nav{$a}{'COUNT'}) <=>
@@ -320,7 +332,7 @@ sub showNavigation ($)
 			     $q->td ({-class => "menu-cell"},
 				     $q->a ({-id => "sme$c",
                                             -class => "item",
-                                            -onClick => "swapClasses('sme$c')",
+					    #-onClick => "swapClasses(this.id)", #with CSP replaced by eventlistener
                                             href => $href, 
                                             target => 'main'}, 
                                         $_->{'DESCRIPTION'})