-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Removed unsafe-inline JS from CSP and other fixes
- Removed `unsafe-inline` for javascript from CSP. The admin interface now uses files instead of inline javascript. - Modified javascript to work not being inline. - Run eslint over javascript and fixed some items. - Added a `to_json` Handlebars helper. Used at the diagnostics page. - Changed `AdminTemplateData` struct to be smaller. The `config` was always added, but only used at one page. Same goes for `can_backup` and `version`. - Also inlined CSS. We can't remove the `unsafe-inline` from css, because that seems to break the web-vault currently. That might need some further checks. But for now the 404 page and all the admin pages are clear of inline scripts and styles.
- Loading branch information
1 parent
b0f03bb
commit 0f588ce
Showing
18 changed files
with
946 additions
and
718 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
body { | ||
padding-top: 75px; | ||
} | ||
.vaultwarden-icon { | ||
width: 48px; | ||
height: 48px; | ||
height: 32px; | ||
width: auto; | ||
margin: -5px 0 0 0; | ||
} | ||
.footer { | ||
padding: 40px 0 40px 0; | ||
border-top: 1px solid #dee2e6; | ||
} | ||
.container { | ||
max-width: 980px; | ||
} | ||
.content { | ||
padding-top: 20px; | ||
padding-bottom: 20px; | ||
padding-left: 15px; | ||
padding-right: 15px; | ||
} | ||
.vw-404 { | ||
max-width: 500px; width: 100%; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
body { | ||
padding-top: 75px; | ||
} | ||
img { | ||
width: 48px; | ||
height: 48px; | ||
} | ||
.vaultwarden-icon { | ||
height: 32px; | ||
width: auto; | ||
margin: -5px 0 0 0; | ||
} | ||
/* Special alert-row class to use Bootstrap v5.2+ variable colors */ | ||
.alert-row { | ||
--bs-alert-border: 1px solid var(--bs-alert-border-color); | ||
color: var(--bs-alert-color); | ||
background-color: var(--bs-alert-bg); | ||
border: var(--bs-alert-border); | ||
} | ||
|
||
#users-table .vw-created-at, #users-table .vw-last-active { | ||
width: 85px; | ||
min-width: 70px; | ||
} | ||
#users-table .vw-items { | ||
width: 35px; | ||
min-width: 35px; | ||
} | ||
#users-table .vw-organizations { | ||
min-width: 120px; | ||
} | ||
#users-table .vw-actions, #orgs-table .vw-actions { | ||
width: 130px; | ||
min-width: 130px; | ||
} | ||
#users-table .vw-org-cell { | ||
max-height: 120px; | ||
} | ||
|
||
#support-string { | ||
height: 16rem; | ||
} | ||
.vw-copy-toast { | ||
width: 15rem; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
"use strict"; | ||
|
||
function getBaseUrl() { | ||
// If the base URL is `https://vaultwarden.example.com/base/path/`, | ||
// `window.location.href` should have one of the following forms: | ||
// | ||
// - `https://vaultwarden.example.com/base/path/` | ||
// - `https://vaultwarden.example.com/base/path/#/some/route[?queryParam=...]` | ||
// | ||
// We want to get to just `https://vaultwarden.example.com/base/path`. | ||
const baseUrl = window.location.href; | ||
const adminPos = baseUrl.indexOf("/admin"); | ||
return baseUrl.substring(0, adminPos != -1 ? adminPos : baseUrl.length); | ||
} | ||
const BASE_URL = getBaseUrl(); | ||
|
||
function reload() { | ||
// Reload the page by setting the exact same href | ||
// Using window.location.reload() could cause a repost. | ||
window.location = window.location.href; | ||
} | ||
|
||
function msg(text, reload_page = true) { | ||
text && alert(text); | ||
reload_page && reload(); | ||
} | ||
|
||
function _post(url, successMsg, errMsg, body, reload_page = true) { | ||
fetch(url, { | ||
method: "POST", | ||
body: body, | ||
mode: "same-origin", | ||
credentials: "same-origin", | ||
headers: { "Content-Type": "application/json" } | ||
}).then( resp => { | ||
if (resp.ok) { msg(successMsg, reload_page); return Promise.reject({error: false}); } | ||
const respStatus = resp.status; | ||
const respStatusText = resp.statusText; | ||
return resp.text(); | ||
}).then( respText => { | ||
try { | ||
const respJson = JSON.parse(respText); | ||
return respJson ? respJson.ErrorModel.Message : "Unknown error"; | ||
} catch (e) { | ||
return Promise.reject({body:respStatus + " - " + respStatusText, error: true}); | ||
} | ||
}).then( apiMsg => { | ||
msg(errMsg + "\n" + apiMsg, reload_page); | ||
}).catch( e => { | ||
if (e.error === false) { return true; } | ||
else { msg(errMsg + "\n" + e.body, reload_page); } | ||
}); | ||
} | ||
|
||
// onLoad events | ||
document.addEventListener("DOMContentLoaded", (/*event*/) => { | ||
// get current URL path and assign "active" class to the correct nav-item | ||
const pathname = window.location.pathname; | ||
if (pathname === "") return; | ||
const navItem = document.querySelectorAll(`.navbar-nav .nav-item a[href="${pathname}"]`); | ||
if (navItem.length === 1) { | ||
navItem[0].className = navItem[0].className + " active"; | ||
navItem[0].setAttribute("aria-current", "page"); | ||
} | ||
}); |
Oops, something went wrong.