diff options
| author | erdgeist <erdgeist@erdgeist.org> | 2026-07-18 16:30:31 +0200 |
|---|---|---|
| committer | erdgeist <erdgeist@erdgeist.org> | 2026-07-18 16:30:31 +0200 |
| commit | 0c6783816e0a7a8acad922296d3eb8cc454fb981 (patch) | |
| tree | 54c59e86afa188de6429ff0e1f07d1b6e4f36350 /public/javascripts/admin_interface.js | |
| parent | 6b6e50909cc77de1797e88be5445c5b643b008a9 (diff) | |
Emit a report-only Content-Security-Policy with nonced inline scripts
- dark-mode restore now travels nonced, the admin constants likewise
- AUTH_TOKEN deleted in favour of the csrf meta tag
- new report collector at /csp_reports
Diffstat (limited to 'public/javascripts/admin_interface.js')
| -rw-r--r-- | public/javascripts/admin_interface.js | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/public/javascripts/admin_interface.js b/public/javascripts/admin_interface.js index c0e2d9c..b7bdc10 100644 --- a/public/javascripts/admin_interface.js +++ b/public/javascripts/admin_interface.js | |||
| @@ -82,10 +82,8 @@ $(document).ready(function () { | |||
| 82 | }); | 82 | }); |
| 83 | 83 | ||
| 84 | $(document).ajaxSend(function(event, request, settings) { | 84 | $(document).ajaxSend(function(event, request, settings) { |
| 85 | if (typeof(AUTH_TOKEN) == "undefined") return; | 85 | var meta = document.querySelector("meta[name='csrf-token']"); |
| 86 | // settings.data is a serialized string like "foo=bar&baz=boink" (or null) | 86 | if (meta) request.setRequestHeader("X-CSRF-Token", meta.content); |
| 87 | settings.data = settings.data || ""; | ||
| 88 | settings.data += (settings.data ? "&" : "") + "authenticity_token=" + encodeURIComponent(AUTH_TOKEN); | ||
| 89 | }); | 87 | }); |
| 90 | 88 | ||
| 91 | }); | 89 | }); |
