4f12e344a8
- F1 case_detail.html: scheme-check source_ref href (block javascript: URLs) - F2 admin.html / F3 admin_federation.html: replace inline onsubmit confirm() with data-attr + global handler in base.html (no more label/domain interpolation into onsubmit attribute string) - federation.register_peer: validate hostname + fingerprint regex at ingest - federation_explore.html: window.PSYC_EXPLORE via | tojson - federation_network.js: DOMAIN_RE guard on peer-supplied domain before building cross-origin fetch URL (also closes open-redirect via 'open their explorer' button) - app.py: nosniff + Referrer-Policy: no-referrer + X-Frame-Options: DENY - sw.js: psyc-v11 cache bump CSP deferred — needs inline scripts moved to external files first. Tests: +2 cases, 245/245 green.
9.2 KiB
9.2 KiB