From dd00e9d279350e728b9457b8cdbf1019a706c644 Mon Sep 17 00:00:00 2001 From: Pierre Rudloff Date: Mon, 3 Jul 2017 10:17:37 +0200 Subject: [PATCH 1/3] Remove Google Cast support since the JS library does not seem to be maintained anymore and it frequently breaks --- Gruntfile.js | 6 +- css/style.css | 12 --- img/ic_media_route_disabled_holo_light.png | Bin 380 -> 0 bytes img/ic_media_route_off_holo_light.png | Bin 401 -> 0 bytes img/ic_media_route_on_holo_light.png | Bin 439 -> 0 bytes js/cast.js | 109 --------------------- templates/inc/footer.tpl | 1 - templates/inc/head.tpl | 1 - templates/video.tpl | 2 - 9 files changed, 3 insertions(+), 128 deletions(-) delete mode 100644 img/ic_media_route_disabled_holo_light.png delete mode 100644 img/ic_media_route_off_holo_light.png delete mode 100644 img/ic_media_route_on_holo_light.png delete mode 100644 js/cast.js diff --git a/Gruntfile.js b/Gruntfile.js index ea379ad..01d1704 100644 --- a/Gruntfile.js +++ b/Gruntfile.js @@ -11,7 +11,7 @@ module.exports = function (grunt) { uglify: { combine: { files: { - 'dist/main.js': ['js/cast.js'] + 'dist/main.js': ['js/*.js'] } } }, @@ -128,8 +128,8 @@ module.exports = function (grunt) { grunt.loadNpmTasks('grunt-potomo'); grunt.loadNpmTasks('grunt-contrib-csslint'); - grunt.registerTask('default', ['uglify', 'cssmin', 'potomo']); - grunt.registerTask('lint', ['jslint', 'csslint', 'fixpack', 'jsonlint', 'phpcs']); + grunt.registerTask('default', ['cssmin', 'potomo']); + grunt.registerTask('lint', ['csslint', 'fixpack', 'jsonlint', 'phpcs']); grunt.registerTask('test', ['phpunit']); grunt.registerTask('doc', ['phpdocumentor']); grunt.registerTask('release', ['default', 'githash', 'compress']); diff --git a/css/style.css b/css/style.css index eb886dc..6acce45 100644 --- a/css/style.css +++ b/css/style.css @@ -544,18 +544,6 @@ h1 { max-width:700px; } -.cast_btn { - cursor:pointer; -} - -.cast_hidden { - display:none; -} - -.cast_icon { - vertical-align:middle; -} - .format { text-align:left; } diff --git a/img/ic_media_route_disabled_holo_light.png b/img/ic_media_route_disabled_holo_light.png deleted file mode 100644 index 319c57e8f343f22b12799ab91937eac20ca6eb80..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 380 zcmV-?0fYXDP)L{ot;E?S6hQ`J zR3c>RCCH0(>C~m`{>WYJ67&az5_kw16V!u;Li1RH=KKzxLx%>@*j^9s3m;yX41e#l z=b2~*L13s{2ZrLM1Ly$C17v=?=s3=OQeWu0Zg>AH@MCrVdCEUmRX3py5Y>dwC@QG{ z-Dwd`M*VuJ59dtih)EYxueJGB73L_Fz%Cpo<(RjH=c19xm!IKnG>*x(YC zw8pTE8#Lr`^sz+?xugR;;zcIm98E0X;}91~Pr;dV|5B=Oig%19P*|NI3TQ|CoX4s_ zSoRLq7|6AnjN+TzQ^E&=Bq|WDeAx9&gwJU{<+NFO6el?5vl;tC+yJKjW1<7-0ICD* a1Q-BA!9d^IFiXz>000085Sl%Fd?aIM)B~z^1fxW#74k*@Py* zE}JlcxRwsE+b=0^XzE&mM?B+|Fm(jI4seGdj&Y9{LZnm$uzveT#H2@*YZPVB8ru85 zi2i&PGw})oE>HP#nR0=|y3*}f z%65Q%oDQSi0nevE2WWQpF)&XT{DQ4h0ioBfS!<*DNzHy2b1neJgh25n#(gQ!_qNo{w4Z4Ar!#11a_(lzw}LpZ_<2IPmWu+;%`j`Pxm2TUT0 z8@yu}6PUxL6OUuF?f0l-RraOvBe!S(OA@H*)Jhn}E@= Google Cast™ Casting to ChromeCast…'); - window.__onGCastApiAvailable = loadCastApi; - } - } - }; -}()); - -if (typeof window === 'object') { - window.addEventListener('load', castModule.init, false); -} diff --git a/templates/inc/footer.tpl b/templates/inc/footer.tpl index bcc7eb8..1bca78f 100644 --- a/templates/inc/footer.tpl +++ b/templates/inc/footer.tpl @@ -16,6 +16,5 @@ {t}Based on{/t} youtube-dl - diff --git a/templates/inc/head.tpl b/templates/inc/head.tpl index 16e185f..3524870 100644 --- a/templates/inc/head.tpl +++ b/templates/inc/head.tpl @@ -19,7 +19,6 @@ - diff --git a/templates/video.tpl b/templates/video.tpl index 6abf0ba..12797f6 100644 --- a/templates/video.tpl +++ b/templates/video.tpl @@ -5,8 +5,6 @@ {include file="inc/logo.tpl"}

{t}You are going to download{/t} .

From 59e5df4aa65e82758a37e1524fc41573d2ff8813 Mon Sep 17 00:00:00 2001 From: Pierre Rudloff Date: Mon, 3 Jul 2017 10:19:20 +0200 Subject: [PATCH 2/3] Content-Security-Policy and other security headers --- .htaccess | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.htaccess b/.htaccess index 6487a7c..ca8ae0c 100644 --- a/.htaccess +++ b/.htaccess @@ -28,3 +28,10 @@ FileETag None AddOutputFilterByType DEFLATE text/css text/html application/javascript font/truetype + + + Header set X-Frame-Options DENY + Header set X-Content-Type-Options nosniff + Header set X-XSS-Protection "1; mode=block" + Header set Content-Security-Policy "default-src 'self'; object-src 'none'; script-src 'none'; img-src http:" + From b4f0cf7a38a94a4e67e05ed8a11e2736e56d7940 Mon Sep 17 00:00:00 2001 From: Pierre Rudloff Date: Mon, 3 Jul 2017 10:35:28 +0200 Subject: [PATCH 3/3] Use HttpOnly session cookies --- classes/LocaleManager.php | 1 + 1 file changed, 1 insertion(+) diff --git a/classes/LocaleManager.php b/classes/LocaleManager.php index d822588..9c9ce9d 100644 --- a/classes/LocaleManager.php +++ b/classes/LocaleManager.php @@ -40,6 +40,7 @@ class LocaleManager { $session_factory = new \Aura\Session\SessionFactory(); $session = $session_factory->newInstance($cookies); + $session->setCookieParams(['httponly' => true]); $this->sessionSegment = $session->getSegment('Alltube\LocaleManager'); $cookieLocale = $this->sessionSegment->get('locale'); if (isset($cookieLocale)) {