Multiple Security Headers

[BenjaminHae]

This is a big PR that does the following:

• separate controller and view (all html output is now free from program logic) this makes the code more readable. It should now be easier to spot security issues and write clean code.
• separate javascript from html. This partly belongs to the first point but I list it extra because this allows us to introduce a Content-Security-Policy which should remove any threat of Cross-Site-Scripting
• Introduced header X-Frame-Options to prevent clickjacking.
• Fix a small information disclosure vulnerability (finding out which users exist)

All of those changes make it possible for browsers to better use caching, as all static html, js and css can be cached. This could mean a huge speed boost on mobile devices with bad internet connections.

For future developers: Content-Security-Policy means no inline javascript or css is executed. So we can't use

<script>alert("foo");</script>

or

<a href="javascript:doSomething();">click here</a>

or

<a onclick="doSomething("parameter");">click here</a>

anymore. Instead use

<a id="foo">click here</a>

and in a separate js file

$(function(){//this get's executed on document.load
    $("#foo").on('click',{"param":"parameter"},function(event){doSomething(event.data.param);});
    alert("foo");
}

The same goes for css:

 <p style="color: red">Red text</p>

instead put the style in the style.css file and use a class on the paragraph.

I've tested everything on my test-installation. It worked very well so far.

[zeruniverse]

Thank you. I'll take a look

[BenjaminHae]

Maybe these changes deserve a version bump. But we could move all "background" php files to rest before we do that. I'll do those when I have time again.

[zeruniverse]

Yes, but I want to mark the current 'master' branch as a new release first. I.e. Mark the current 'master' branch as 9.12 and after you merge in this change, make it 9.13

[zeruniverse]

Sorry but what do you mean by moving all background php to rest?

[BenjaminHae]

I want to move all that contain application logic to the rest/ folder. Like change.php, insert.php...

[zeruniverse]

I'm not against it.

On Wed, Feb 1, 2017 at 9:59 PM Benjamin Häublein notifications@github.com wrote:

I want to move all that contain application logic to the rest/ folder. Like change.php, insert.php...

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/zeruniverse/Password-Manager/pull/123#issuecomment-276875572, or mute the thread https://github.com/notifications/unsubscribe-auth/AEbvNPuVhuBZqbqcQ-iNFz2YDQDLCCBFks5rYXDdgaJpZM4L0RPc .