Migrate to a good Content Security Policy (#1023)

So attacks such as XSS (see [0]) will no longer be of an issue. [0]: https://github.com/omarroth/invidious/issues/1022
2020-03-16 06:46:08 +09:00
parent f92027c44b
commit 70cbe91776
29 changed files with 274 additions and 175 deletions
--- a/src/invidious/views/preferences.ecr
+++ b/src/invidious/views/preferences.ecr
@@ -2,12 +2,6 @@
 <title><%= translate(locale, "Preferences") %> - Invidious</title>
 <% end %>

-<script>
-function update_value(element) {
-    document.getElementById('volume-value').innerText = element.value;
-}
-</script>
-
 <div class="h-box">
    <form class="pure-form pure-form-aligned" action="/preferences?referer=<%= URI.encode_www_form(referer) %>" method="post">
        <fieldset>
@@ -65,7 +59,7 @@ function update_value(element) {

            <div class="pure-control-group">
                <label for="volume"><%= translate(locale, "Player volume: ") %></label>
-                <input name="volume" id="volume" oninput="update_value(this);" type="range" min="0" max="100" step="5" value="<%= preferences.volume %>">
+                <input name="volume" id="volume" data-onrange="update_volume_value" type="range" min="0" max="100" step="5" value="<%= preferences.volume %>">
                <span class="pure-form-message-inline" id="volume-value"><%= preferences.volume %></span>
            </div>

@@ -205,7 +199,7 @@ function update_value(element) {
                <% # Web notifications are only supported over HTTPS %>
                <% if Kemal.config.ssl || config.https_only %>
                    <div class="pure-control-group">
-                        <a href="#" onclick="Notification.requestPermission()"><%= translate(locale, "Enable web notifications") %></a>
+                        <a href="#" data-onclick="notification_requestPermission"><%= translate(locale, "Enable web notifications") %></a>
                    </div>
                <% end %>
            <% end %>