It was already broken and didn't work properly, but update to py3 and at
least make it run. More changes are necessary to actually make it happy
again.
Previously the result page was rendered directly and if the user hit the
refresh button the bug woulb be duplicated. Instead redirect to a
results page (with the bug number) which can be freely refreshed.
Not used yet (though a prototype redirect view is present) since we need
to populate it with data from the past, but with this we start
collecting the mapping for future bugs.
This was an regression introduced by the new styles that affects
readability of nested variables lists (e.g. on the message protocol
page). This brings the look more in line with the previous documentation
styles and should help with readability.
The old code always raised an exception as the variable being checked
was not defined at that point. Now, it checks the variable that one
expects to be set.
This one goes back 10+ years and nobody really knows what it's for. And
it does create issues for the content security policy, so let's just get
rid of it.
Caused an exception when somebody tried to upload an SSH key where the
*key type* contains non-ascii (this would normally be things like
"ssh-rsa", and there are definitely no legit key types outside the ascii
range, but we still shouldn't crash)
The following security policy headers are set:
X-XSS-Protection: 1; mode=block -- always set
X-Frame-Options: DENY is set for all pages except for the documentation
pages, primarily because pgadmin4 loads them in an iframe which would
break.
Content-Security-Policy: <x>-src
Is set to allow the default of self only, then allowing scripts for
google analytics and fonts for google fonts. Images are allowed from everywhere.
frame-ancestors 'none' is set by the same rules as X-Frame-Options
This also adds a decorator for @script_sources to have a single view
allow extra sources, and this is used for recaptcha. A generic decorator
is also made for other types of exclusions, though we don't have any at
this point.
If the setting SECURITY_POLICY_REPORT_ONLY is set to True then the policy
will be report-only and not enforced (for testing), otherwise enforcing
mode is enabled.
The setting SECURITY_POLICY_REPORT_URI sets where to send security
policy reports, if any.
Instead of using <style> with import, set an explicit link like we do
for other stylesheets. This will make it possible to turn on a content
security policy for CSS.