summaryrefslogtreecommitdiff
path: root/public/javascripts/admin_interface.js
diff options
context:
space:
mode:
authorerdgeist <erdgeist@erdgeist.org>2026-07-18 16:30:31 +0200
committererdgeist <erdgeist@erdgeist.org>2026-07-18 16:30:31 +0200
commit0c6783816e0a7a8acad922296d3eb8cc454fb981 (patch)
tree54c59e86afa188de6429ff0e1f07d1b6e4f36350 /public/javascripts/admin_interface.js
parent6b6e50909cc77de1797e88be5445c5b643b008a9 (diff)
Emit a report-only Content-Security-Policy with nonced inline scripts
- dark-mode restore now travels nonced, the admin constants likewise - AUTH_TOKEN deleted in favour of the csrf meta tag - new report collector at /csp_reports
Diffstat (limited to 'public/javascripts/admin_interface.js')
-rw-r--r--public/javascripts/admin_interface.js6
1 files changed, 2 insertions, 4 deletions
diff --git a/public/javascripts/admin_interface.js b/public/javascripts/admin_interface.js
index c0e2d9c..b7bdc10 100644
--- a/public/javascripts/admin_interface.js
+++ b/public/javascripts/admin_interface.js
@@ -82,10 +82,8 @@ $(document).ready(function () {
82 }); 82 });
83 83
84 $(document).ajaxSend(function(event, request, settings) { 84 $(document).ajaxSend(function(event, request, settings) {
85 if (typeof(AUTH_TOKEN) == "undefined") return; 85 var meta = document.querySelector("meta[name='csrf-token']");
86 // settings.data is a serialized string like "foo=bar&baz=boink" (or null) 86 if (meta) request.setRequestHeader("X-CSRF-Token", meta.content);
87 settings.data = settings.data || "";
88 settings.data += (settings.data ? "&" : "") + "authenticity_token=" + encodeURIComponent(AUTH_TOKEN);
89 }); 87 });
90 88
91}); 89});