From 51d49c3134c9acf7e2daba5bcc8c87e14a7548f1 Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Fri, 10 May 2019 13:38:11 +0200 Subject: Move initCore to the bundle Signed-off-by: Christoph Wurst --- core/src/jquery/index.js | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'core/src/jquery/index.js') diff --git a/core/src/jquery/index.js b/core/src/jquery/index.js index 71659137b3e..43b379fd2e5 100644 --- a/core/src/jquery/index.js +++ b/core/src/jquery/index.js @@ -19,6 +19,8 @@ * along with this program. If not, see . */ +import $ from 'jquery' + import './avatar' import './contactsmenu' import './exists' @@ -33,3 +35,28 @@ import './ui-fixes' import './css/jquery-ui-fixes.scss' import './css/jquery.ocdialog.scss' + +/** + * Disable automatic evaluation of responses for $.ajax() functions (and its + * higher-level alternatives like $.get() and $.post()). + * + * If a response to a $.ajax() request returns a content type of "application/javascript" + * JQuery would previously execute the response body. This is a pretty unexpected + * behaviour and can result in a bypass of our Content-Security-Policy as well as + * multiple unexpected XSS vectors. + */ +$.ajaxSetup({ + contents: { + script: false + } +}) + +/** + * Disable execution of eval in jQuery. We do require an allowed eval CSP + * configuration at the moment for handlebars et al. But for jQuery there is + * not much of a reason to execute JavaScript directly via eval. + * + * This thus mitigates some unexpected XSS vectors. + */ +$.globalEval = function () { +} -- cgit v1.2.3