Token delete formdata fix method#53
Conversation
|
Why the change if the AJAX is sent over GET and not POST? |
| { | ||
| if (res["status"] =='OK') | ||
| $("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='"+formData.get('redirect')+"'> "+formData.get('success')+"</a></div>") | ||
| else |
There was a problem hiding this comment.
Dont you need these with {% trans %}?
|
|
||
|
|
||
| }, function(reason) { | ||
| $("#res").html("<div class='alert alert-danger'>Registeration Failed as " +reason +", <a href='javascript:void(0)' onclick='begin_reg()'> try again </a> or <a href='"+formData.get('home')+"'> Go to Security Home</a></div>") |
| } | ||
| else { | ||
| $("#msgdiv").addClass("alert alert-danger").removeClass("alert-success") | ||
| $("#msgdiv").html("Verification Failed as " + res.message + ", <a href='javascript:void(0)' onclick='authen())'> try again</a> or <a href='javascript:void(0)' onclick='history.back()'> Go Back</a>") |
mfa/static/mfa/js/U2F/recheck.js
Outdated
| } | ||
| else if(formData.get('mode') === 'recheck') { | ||
| $.ajax({ | ||
| "url":"{% url 'u2f_recheck' %}", |
There was a problem hiding this comment.
This won’t work under {% static %}
mfa/static/mfa/js/delete-token.js
Outdated
| function deleteKey(id,name,confirm_url) | ||
| { | ||
| $("#modal-title").html("Confirm Delete") | ||
| $("#modal-body").html("Are you sure you want to delete '"+name+"'? you may lose access to your system if this your only 2FA."); |
| window.mfa_success_function=success_func; | ||
| window.mfa_failed_function=fail_func; | ||
| $.ajax({ | ||
| "url":"{% url 'mfa_recheck' %}", |
| } | ||
| else | ||
| { | ||
| $("#modal-title").html("Recheck Indentity") |
There was a problem hiding this comment.
sorry, I'm not done yet, my intention was to do internationalization and be CSP conform without inline javascript or css. I will provide further updates soon.
mkalioby
left a comment
mkalioby
left a comment
There was a problem hiding this comment.
Thanks for the effort, please consider the comment
|
Hello, Any updates about this PR. |
|
Still on it, to aquire strict CSP rules conformity, we have to rewrite some javascript. |
|
Ok, can you share the rules and i can work with you on them, thanks for your help |
mkalioby
left a comment
mkalioby
left a comment
There was a problem hiding this comment.
Did you test this version? as it wont work as the AJAX gets the URLs through a {%url%} tag which wont work with static JS.
|
I now stripped as recomended all url tags from js files see my latest implemenetation master...AndreasDickow:master. Can you please review the code? |
update yubikey compatibility
update Setup requirements
|
We have now included translation tags for international usage and added a german translation of Status Messages. Additional the library is now conform with strict CSP settings not allowing javascript and style in html files. |
|
Any updates on the CSP compliant part? I would like to prevent unsafe-hashes or any other inline allowance in our solution. |
|
Added to version 3.1 and the beta is avaliable on pypi |
|
@mkalioby Thanks I will. [> AndreasDickow](#53 (comment)) But i was more referring to the work @AndreasDickow did on getting the templates CSP compliant. In short, don't include inline CSS or Script directly in the HTML files, but everything should be in a separate (css/js) file. Therefore the browser can trust the source of origin. Alternatively, but I don't have much experience with it other than I know we use it, is adding the support of django-csp where you can include the Nonce(s). I tried to include the hashes of each script, but couldn't get this to work since the If the CSP changes aren't on the roadmap yet, I could try with best effort to contribute to this. |
4 participants
Delete token used the wrong method to access formdata, I exchanged it to POST instead of GET and it fixed the error on submit