search

oupala / apaxy

a simple, customisable theme for your apache directory listing
https://oupala.github.io/apaxy/
GNU General Public License v3.0
1.86k stars 256 forks source link

feat(): move javascript code into a separate js file #84

Closed oupala closed 7 years ago

oupala commented 7 years ago

Move javascript code into a separate js file as it enable apaxy to be compliant with the most secure content security policy (aka CSP). You can now use the following Content Security Policy :

Content-Security-Policy: default-src 'self'

oupala commented 7 years ago

By the way, I wonder what it this javascript useful for?

Everything seems to work even without this piece of javascript. Am I missing a specific feature?

If the js file is useless, it might be easier to delete it than to externalize it...

oupala commented 7 years ago

Any thought on this pull request? And associated question?

oupala commented 7 years ago

Are you willing to merge this request or not?

Is there a problem with my code? Should I improve it in a specific way?

nodiscc commented 7 years ago

@oupala I agree that it makes thigs better regarding CSP (currently it requires self unsafe-inline), however this adds a required manual modification of footer.html during the installation process. It would also break upgrade flows based on git pull when footer.html has been modified here (since files would diverge).

If you could adapt your changes not to require manual changes in a git tracked file, I think it would be much better. (use relative paths?)

oupala commented 7 years ago

I understand your point of view and I agree with it: apaxy should as simple as possible to install. apaxy should be a KISS hassle-free piece of code that make directory listing more beautiful.

But, we also want apaxy to be efficient to a directory and all its subdirectory, not only in the directory it is installed. This make it mandatory to specify absolute path to all external files: images, css and javascript.

This is the main reason we already merged pull request #78 and this is why I believe there is no workaround to avoid absolute path to load files. If you know one, please tell us.

And between a simple installation and a secure installation, my preference goes on security and I pleade for security and the associated content security policy. Hence my pull request.

oupala commented 7 years ago

If you do not plan to merge this pull request, I'd be pleased if you can tell me.

If you plan to merge this pull request, please do!

AdamWhitcroft commented 7 years ago

@oupala Done, thanks for that and apologies for the delayed response. I don't have much time for these projects at the moment.

oupala commented 7 years ago

Great thanks @AdamWhitcroft !