On 2/10/2016 1:14 PM, J.C. Cleaver wrote:
On the refresh value, this was an unintentionally broad change.
CSP sadly catches the META HTTP-EQUIV "Refresh" tag as well as something that is no longer honored, which requires moving it up into the actual HTTP headers. This updated version of the CSP patch (from the last email) does two things:
- separate out info and trends pages from "regular" svcstatus pages. The former won't be auto-refreshed
- adds a previously-referenced XYMWEBREFRESH variable, which can be used to configure this (default: 60s)
Going from 60s to 30s was an error on my part. I'd actually thought that was the value for some reason...
These patches are helping. Thank you!
On info pages not allowing _targets, that's also something caught by CSP. The patch should fix this as well. Please verify if you can.
To let the "target=_blank" option work, I needed to add "allow-popups" to line 269 of lib/cgi.c
269 else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-popups;");
-- Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Enterprise Technology Services Department of Administration State of Alaska