|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (29 fixed, 13 open).
|
|
|
|
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (30 fixed, 12 open).
|
|
|
|
|
|
|
|
---
|
|
---
|
|
|
|
|
|
|
@@ -2005,6 +2005,33 @@
|
|
|
`style-src` and move dynamic widths to a stylesheet driven by
|
|
`style-src` and move dynamic widths to a stylesheet driven by
|
|
|
`data-*` attributes.
|
|
`data-*` attributes.
|
|
|
- **Severity: 1**
|
|
- **Severity: 1**
|
|
|
|
|
+- **Status:** Fixed. `App\Http\CspMiddleware::policy` now emits
|
|
|
|
|
+ `style-src 'self'` only — `'unsafe-inline'` is gone. The two
|
|
|
|
|
+ templates that previously carried inline `style="…"` attributes
|
|
|
|
|
+ were migrated:
|
|
|
|
|
+ - **`partials/topnav.twig`** — the user-menu dropdown's
|
|
|
|
|
+ `style="display: none;"` pre-init hide replaced with
|
|
|
|
|
+ `x-cloak`. The bundled stylesheet
|
|
|
|
|
+ (`ui/resources/css/app.css`) now ships
|
|
|
|
|
+ `[x-cloak] { display: none !important; }` so the element is
|
|
|
|
|
+ hidden until Alpine boots and removes the attribute.
|
|
|
|
|
+ - **`pages/ips/detail.twig`** — the dynamic
|
|
|
|
|
+ `style="width: {{ width_pct }}%"` on the per-category score
|
|
|
|
|
+ bar replaced with `data-score-width="{{ width_bucket }}"` where
|
|
|
|
|
+ `width_bucket` is the percent rounded to 5%. The stylesheet
|
|
|
|
|
+ ships one rule per bucket
|
|
|
|
|
+ (`[data-score-width="0"] { width: 0%; }` …
|
|
|
|
|
+ `[data-score-width="100"] { width: 100%; }`). 5% buckets are
|
|
|
|
|
+ visually indistinguishable from per-pixel widths on the
|
|
|
|
|
+ 1.5px-tall bar.
|
|
|
|
|
+ Regression tests in
|
|
|
|
|
+ `ui/tests/Unit/Http/CspMiddlewareTest.php` (extended
|
|
|
|
|
+ `testPolicyContainsNonceAndDropsUnsafeDirectives` to assert
|
|
|
|
|
+ `style-src 'self'`) and
|
|
|
|
|
+ `ui/tests/Integration/App/CspHeaderTest.php` (new
|
|
|
|
|
+ `testStyleSrcDropsUnsafeInline` and
|
|
|
|
|
+ `testNoInlineStyleAttributesInLoginTemplate`). Full UI suite
|
|
|
|
|
+ (188 tests / 587 assertions) passes.
|
|
|
|
|
|
|
|
### F63 — Twig `autoescape` default is not explicitly configured
|
|
### F63 — Twig `autoescape` default is not explicitly configured
|
|
|
- **File:** `ui/src/App/Container.php:105-131`
|
|
- **File:** `ui/src/App/Container.php:105-131`
|
chiappa