صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
chiappa
/
irdb
mirrorاز https://git.snix.ch/chiappa/irdb.git
1
0
انشعاب 0
پرونده‌ها مشکلات 0
فهرست منبع

docs: mark SEC_REVIEW F62 as fixed in f044dbb

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chiappa 3 روز پیش
والد
f044dbb6bc
کامیت
25f10f0d01
1فایلهای تغییر یافته به همراه28 افزوده شده و 1 حذف شده
مشاهده تقسیم شده نمایش آمار تفاوت ها
  1. 28 1
      doc/SEC_REVIEW.md

+ 28 - 1
doc/SEC_REVIEW.md
مشاهده فایل 

@@ -11,7 +11,7 @@
 
 >
 
 > Each finding is referenced as **F<N>** for later citation.
 
 >
 
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (29 fixed, 13 open).
 
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (30 fixed, 12 open).
 
 
 ---
 
 
@@ -2005,6 +2005,33 @@
 
   `style-src` and move dynamic widths to a stylesheet driven by
 
   `data-*` attributes.
 
 - **Severity: 1**
 
+- **Status:** Fixed. `App\Http\CspMiddleware::policy` now emits
 
+  `style-src 'self'` only — `'unsafe-inline'` is gone. The two
 
+  templates that previously carried inline `style="…"` attributes
 
+  were migrated:
 
+  - **`partials/topnav.twig`** — the user-menu dropdown's
 
+    `style="display: none;"` pre-init hide replaced with
 
+    `x-cloak`. The bundled stylesheet
 
+    (`ui/resources/css/app.css`) now ships
 
+    `[x-cloak] { display: none !important; }` so the element is
 
+    hidden until Alpine boots and removes the attribute.
 
+  - **`pages/ips/detail.twig`** — the dynamic
 
+    `style="width: {{ width_pct }}%"` on the per-category score
 
+    bar replaced with `data-score-width="{{ width_bucket }}"` where
 
+    `width_bucket` is the percent rounded to 5%. The stylesheet
 
+    ships one rule per bucket
 
+    (`[data-score-width="0"] { width: 0%; }` …
 
+    `[data-score-width="100"] { width: 100%; }`). 5% buckets are
 
+    visually indistinguishable from per-pixel widths on the
 
+    1.5px-tall bar.
 
+  Regression tests in
 
+  `ui/tests/Unit/Http/CspMiddlewareTest.php` (extended
 
+  `testPolicyContainsNonceAndDropsUnsafeDirectives` to assert
 
+  `style-src 'self'`) and
 
+  `ui/tests/Integration/App/CspHeaderTest.php` (new
 
+  `testStyleSrcDropsUnsafeInline` and
 
+  `testNoInlineStyleAttributesInLoginTemplate`). Full UI suite
 
+  (188 tests / 587 assertions) passes.
 
 
 ### F63 — Twig `autoescape` default is not explicitly configured
 
 - **File:** `ui/src/App/Container.php:105-131`