CSP for statistics and forms

https://github.com/FreshRSS/FreshRSS/issues/1075

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## 2016-xx-xx FreshRSS 1.3.1-beta
 
+* Security
+	* Added CSP `Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075)
 * UI
 	* Fixed several small bugs in global and reader view [#1050](https://github.com/FreshRSS/FreshRSS/pull/1050)
 	* Updated to jQuery 2.2 and changed code for auto-load on scroll [#1050](https://github.com/FreshRSS/FreshRSS/pull/1050)

app/FreshRSS.php

@@ -111,7 +111,11 @@ class FreshRSS extends Minz_FrontController {
 	}
 
 	public static function preLayout() {
-		header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *; style-src 'self' 'unsafe-inline'");
+		if (Minz_Request::controllerName() === 'stats') {
+			header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
+		} else {
+			header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+		}
 	}
 
 	private function loadNotifications() {

app/layout/aside_feed.phtml

@@ -19,7 +19,7 @@
 	<a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('index.menu.about'); ?></a>
 	<?php } ?>
 
-	<form id="mark-read-aside" method="post" style="display: none"></form>
+	<form id="mark-read-aside" method="post" aria-hidden="true"></form>
 
 	<ul class="tree">
 		<li class="tree-folder category all<?php echo FreshRSS_Context::isCurrentGet('a') ? ' active' : ''; ?>">

app/layout/nav_menu.phtml

@@ -79,7 +79,7 @@
 		);
 	?>
 
-	<form id="mark-read-menu" method="post" style="display: none"></form>
+	<form id="mark-read-menu" method="post" aria-hidden="true"></form>
 
 	<div class="stick" id="nav_menu_read_all">
 		<?php $confirm = FreshRSS_Context::$user_conf->reading_confirm ? 'confirm' : ''; ?>

app/views/extension/index.phtml

@@ -5,7 +5,7 @@
 
 	<h1><?php echo _t('admin.extensions.title'); ?></h1>
 
-	<form id="form-extension" method="post" style="display: none"></form>
+	<form id="form-extension" method="post" aria-hidden="true"></form>
 	<?php if (!empty($this->extension_list['system'])) { ?>
 	<h2><?php echo _t('admin.extensions.system'); ?></h2>
 	<?php

app/views/feed/add.phtml

@@ -56,7 +56,7 @@
 					<option value="nc"><?php echo _t('sub.category.new'); ?></option>
 				</select>
 
-				<span style="display: none;">
+				<span aria-hidden="true">
 					<input type="text" name="new_category[name]" id="new_category_name" autocomplete="off" placeholder="<?php echo _t('sub.category.new'); ?>" />
 				</span>
 			</div>

app/views/helpers/pagination.phtml

@@ -14,7 +14,7 @@
 	);
 ?>
 
-<form id="mark-read-pagination" method="post" style="display: none"></form>
+<form id="mark-read-pagination" method="post" aria-hidden="true"></form>
 
 <ul class="pagination">
 	<li class="item pager-next">

app/views/stats/idle.phtml

@@ -18,7 +18,7 @@
 		<div class="stat">
 			<h2><?php echo _t('gen.date.' . $period); ?></h2>
 
-			<form id="form-delete" method="post" style="display: none"></form>
+			<form id="form-delete" method="post" aria-hidden="true"></form>
 
 			<?php foreach ($feeds as $feed) { ?>
 			<ul class="horizontal-list">

app/views/stats/index.phtml

@@ -66,18 +66,18 @@
 
 	<div class="stat">
 		<h2><?php echo _t('admin.stats.entry_per_day'); ?></h2>
-		<div id="statsEntryPerDay" style="height: 300px"></div>
+		<div id="statsEntryPerDay" class="statGraph"></div>
 	</div>
 
 	<div class="stat half">
 		<h2><?php echo _t('admin.stats.feed_per_category'); ?></h2>
-		<div id="statsFeedPerCategory" style="height: 300px"></div>
+		<div id="statsFeedPerCategory" class="statGraph"></div>
 		<div id="statsFeedPerCategoryLegend"></div>
-	</div><!--
+	</div>
 
-	--><div class="stat half">
+	<div class="stat half">
 		<h2><?php echo _t('admin.stats.entry_per_category'); ?></h2>
-		<div id="statsEntryPerCategory" style="height: 300px"></div>
+		<div id="statsEntryPerCategory" class="statGraph"></div>
 		<div id="statsEntryPerCategoryLegend"></div>
 	</div>
 </div>

app/views/stats/repartition.phtml

@@ -48,17 +48,17 @@
 
 	<div class="stat">
 		<h2><?php echo _t('admin.stats.entry_per_hour', $this->averageHour); ?></h2>
-		<div id="statsEntryPerHour" style="height: 300px"></div>
+		<div id="statsEntryPerHour" class="statGraph"></div>
 	</div>
 
 	<div class="stat half">
 		<h2><?php echo _t('admin.stats.entry_per_day_of_week', $this->averageDayOfWeek); ?></h2>
-		<div id="statsEntryPerDayOfWeek" style="height: 300px"></div>
-	</div><!--
+		<div id="statsEntryPerDayOfWeek" class="statGraph"></div>
+	</div>
 
-	--><div class="stat half">
+	<div class="stat half">
 		<h2><?php echo _t('admin.stats.entry_per_month', $this->averageMonth); ?></h2>
-		<div id="statsEntryPerMonth" style="height: 300px"></div>
+		<div id="statsEntryPerMonth" class="statGraph"></div>
 	</div>
 </div>
 

app/views/subscription/index.phtml

@@ -28,7 +28,7 @@
 						</select>
 					</li>
 
-					<li class="input" style="display:none">
+					<li class="input" aria-hidden="true">
 						<input type="text" name="new_category[name]" id="new_category_name" autocomplete="off" placeholder="<?php echo _t('sub.category.new'); ?>" />
 					</li>
 
@@ -62,7 +62,7 @@
 		</ul>
 	</div>
 
-	<form id="controller-category" method="post" style="display: none;"></form>
+	<form id="controller-category" method="post" aria-hidden="true"></form>
 
 	<?php
 		foreach ($this->categories as $cat) {

p/scripts/main.js

@@ -899,7 +899,7 @@ function refreshUnreads() {
 
 			if ((incUnreadsFeed(null, feed_id, nbUnreads - feed_unreads) || isAll) &&	//Update of current view?
 				(nbUnreads - feed_unreads > 0)) {
-				$('#new-article').show();
+				$('#new-article').attr('aria-hidden', 'false').show();
 				new_articles = true;
 			};
 		});
@@ -1122,10 +1122,10 @@ function init_feed_observers() {
 	$('select[id="category"]').on('change', function() {
 		var detail = $('#new_category_name').parent();
 		if ($(this).val() === 'nc') {
-			detail.show();
+			detail.attr('aria-hidden', 'false').show();
 			detail.find('input').focus();
 		} else {
-			detail.hide();
+			detail.attr('aria-hidden', 'true').hide();
 		}
 	});
 }

p/themes/base-theme/template.css

@@ -110,6 +110,11 @@ td.numeric {
 
 /*=== COMPONENTS */
 /*===============*/
+
+[aria-hidden="true"] {
+	display: none;
+}
+
 /*=== Forms */
 .form-group::after {
 	content: "";
@@ -620,6 +625,9 @@ br + br + br {
 .stat > table {
 	width: 100%;
 }
+.statGraph {
+	height: 300px;
+}
 
 /*=== GLOBAL VIEW */
 /*================*/