Previously the result page was rendered directly and if the user hit the
refresh button the bug woulb be duplicated. Instead redirect to a
results page (with the bug number) which can be freely refreshed.
Not used yet (though a prototype redirect view is present) since we need
to populate it with data from the past, but with this we start
collecting the mapping for future bugs.
This was an regression introduced by the new styles that affects
readability of nested variables lists (e.g. on the message protocol
page). This brings the look more in line with the previous documentation
styles and should help with readability.
The old code always raised an exception as the variable being checked
was not defined at that point. Now, it checks the variable that one
expects to be set.
This one goes back 10+ years and nobody really knows what it's for. And
it does create issues for the content security policy, so let's just get
rid of it.
Caused an exception when somebody tried to upload an SSH key where the
*key type* contains non-ascii (this would normally be things like
"ssh-rsa", and there are definitely no legit key types outside the ascii
range, but we still shouldn't crash)
The following security policy headers are set:
X-XSS-Protection: 1; mode=block -- always set
X-Frame-Options: DENY is set for all pages except for the documentation
pages, primarily because pgadmin4 loads them in an iframe which would
break.
Content-Security-Policy: <x>-src
Is set to allow the default of self only, then allowing scripts for
google analytics and fonts for google fonts. Images are allowed from everywhere.
frame-ancestors 'none' is set by the same rules as X-Frame-Options
This also adds a decorator for @script_sources to have a single view
allow extra sources, and this is used for recaptcha. A generic decorator
is also made for other types of exclusions, though we don't have any at
this point.
If the setting SECURITY_POLICY_REPORT_ONLY is set to True then the policy
will be report-only and not enforced (for testing), otherwise enforcing
mode is enabled.
The setting SECURITY_POLICY_REPORT_URI sets where to send security
policy reports, if any.
Instead of using <style> with import, set an explicit link like we do
for other stylesheets. This will make it possible to turn on a content
security policy for CSS.
The way these were handled they weren't really providing any value to
users, because a lot of sessions were registered and never run etc etc,
but did cause a lot of work for our moderators.
The general feature may return later in the form of "training providers"
or similar as part of the professional services section, but for now
there is no point in maintaining this data.
There has been a recent uptick in emails asking general questions and
support going to special purpose mailing lists. This renames the
"Technical Support" section to "Support," moves is further up the page,
and rewords it to help guide people to the appropriate places to help
get their questions answered.
This was removed when django removed support for it, but we then
switched markdown library and didn't re-enable it.
Since all content is moderated it's not so bad (per previous commit
message), but better safe than sorry.
