X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;ds=sidebyside;f=src%2Forg%2Fcacert%2Fgigi%2FGigi.java;h=bdd0e9cd2a8ca7a53ba25145cdd6af4b12300308;hb=42495354baad719d52d1e126f7e3d778e42a3e51;hp=b6aa90ebd5386b26f3742d41e7090a10829a297b;hpb=c340139d6370117bbf7fb5172ca9dd8ac6e40828;p=gigi.git

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index b6aa90eb..bdd0e9cd 100644
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -16,6 +16,8 @@ import javax.servlet.http.HttpSession;
 
 import org.cacert.gigi.database.DatabaseConnection;
 import org.cacert.gigi.email.EmailProvider;
+import org.cacert.gigi.output.Menu;
+import org.cacert.gigi.output.MenuItem;
 import org.cacert.gigi.output.Outputable;
 import org.cacert.gigi.output.Template;
 import org.cacert.gigi.pages.LoginPage;
@@ -37,6 +39,7 @@ public class Gigi extends HttpServlet {
 	private static final long serialVersionUID = -6386785421902852904L;
 	private Template baseTemplate;
 	private HashMap<String, Page> pages = new HashMap<String, Page>();
+	Menu m;
 
 	public Gigi(Properties conf) {
 		EmailProvider.init(conf);
@@ -57,6 +60,10 @@ public class Gigi extends HttpServlet {
 		pages.put(MailAdd.DEFAULT_PATH, new MailAdd("Add new email"));
 		baseTemplate = new Template(new InputStreamReader(
 				Gigi.class.getResourceAsStream("Gigi.templ")));
+		m = new Menu("Certificates", "cert", new MenuItem(
+				MailOverview.DEFAULT_PATH, "Emails"), new MenuItem("",
+				"Client Certificates"), new MenuItem("", "Domains"),
+				new MenuItem("", "Server Certificates"));
 		super.init();
 
 	}
@@ -112,6 +119,7 @@ public class Gigi extends HttpServlet {
 
 				}
 			};
+			vars.put("menu", m);
 			vars.put("title", p.getTitle());
 			vars.put("static", ServerConstants.getStaticHostNamePort());
 			vars.put("year", Calendar.getInstance().get(Calendar.YEAR));
@@ -146,13 +154,35 @@ public class Gigi extends HttpServlet {
 	}
 
 	public static void addXSSHeaders(HttpServletResponse hsr) {
-		hsr.addHeader("Access-Control-Allow-Origin",
-				"http://cacert.org https://localhost");
+		hsr.addHeader("Access-Control-Allow-Origin", "https://"
+				+ ServerConstants.getWwwHostNamePort() + " https://"
+				+ ServerConstants.getSecureHostNamePort());
 		hsr.addHeader("Access-Control-Max-Age", "60");
-		hsr.addHeader("Content-Security-Policy", "default-src 'self' https://"
-				+ ServerConstants.getStaticHostNamePort()
-				+ ";frame-ancestors 'none'");
-		// ;report-uri https://felix.dogcraft.de/report.php
 
+		hsr.addHeader("Content-Security-Policy", getDefaultCSP());
+		hsr.addHeader("Strict-Transport-Security", "max-age=31536000");
+
+	}
+	private static String defaultCSP = null;
+	private static String getDefaultCSP() {
+		if (defaultCSP == null) {
+			StringBuffer csp = new StringBuffer();
+			csp.append("default-src 'none';");
+			csp.append("font-src https://"
+					+ ServerConstants.getStaticHostNamePort());
+			csp.append(";img-src https://"
+					+ ServerConstants.getStaticHostNamePort());
+			csp.append(";media-src 'none'; object-src 'none';");
+			csp.append("script-src https://"
+					+ ServerConstants.getStaticHostNamePort());
+			csp.append(";style-src https://"
+					+ ServerConstants.getStaticHostNamePort());
+			csp.append(";form-action https://"
+					+ ServerConstants.getSecureHostNamePort() + " https://"
+					+ ServerConstants.getWwwHostNamePort());
+			csp.append("report-url https://api.cacert.org/security/csp/report");
+			defaultCSP = csp.toString();
+		}
+		return defaultCSP;
 	}
 }