From 2d3e843d64baa0990094f77c6a051fe5b2cd6343 Mon Sep 17 00:00:00 2001
From: zzz <zzz@i2pmail.org>
Date: Mon, 11 May 2020 07:50:36 -0400
Subject: [PATCH] Plugin headers and CSP (Gitlab issue #44)

Prep for stricter script-src:
Add headers, remove js onload, move init call to the js
Add nonces to all scripts, can't use yet due to innerHTML (see Gitlab issue #45)
---
 webui/src/main/js/advancedSharing.js        |  6 +++++-
 webui/src/main/js/browse.js                 |  4 ++++
 webui/src/main/js/certificates.js           |  4 ++++
 webui/src/main/js/conncount.js              |  4 ++++
 webui/src/main/js/download.js               |  4 ++++
 webui/src/main/js/feeds.js                  |  6 +++++-
 webui/src/main/js/fileDetails.js            |  4 ++++
 webui/src/main/js/files.js                  |  6 +++++-
 webui/src/main/js/filesTable.js             |  6 +++++-
 webui/src/main/js/search.js                 |  8 ++++++++
 webui/src/main/js/status.js                 |  4 ++++
 webui/src/main/js/translate.js              |  4 ++++
 webui/src/main/js/trustLists.js             |  4 ++++
 webui/src/main/js/trustUsers.js             |  4 ++++
 webui/src/main/js/upload.js                 |  4 ++++
 webui/src/main/webapp/AboutMe.jsp           |  8 ++++----
 webui/src/main/webapp/AdvancedSharing.jsp   |  8 ++++----
 webui/src/main/webapp/BrowseHost.jsp        | 12 ++++++------
 webui/src/main/webapp/ConfigurationPage.jsp |  2 +-
 webui/src/main/webapp/Downloads.jsp         |  6 +++---
 webui/src/main/webapp/Feeds.jsp             | 10 +++++-----
 webui/src/main/webapp/FileDetails.jsp       | 10 +++++-----
 webui/src/main/webapp/Home.jsp              | 21 ++++++++++++---------
 webui/src/main/webapp/MuStatus.jsp          |  6 +++---
 webui/src/main/webapp/SharedFiles.jsp       | 10 +++++-----
 webui/src/main/webapp/TrustLists.jsp        |  8 ++++----
 webui/src/main/webapp/TrustUsers.jsp        |  8 ++++----
 webui/src/main/webapp/Uploads.jsp           |  6 +++---
 webui/src/main/webapp/css.jsi               | 20 ++++++++++++++++----
 29 files changed, 143 insertions(+), 64 deletions(-)

diff --git a/webui/src/main/js/advancedSharing.js b/webui/src/main/js/advancedSharing.js
index 1ed688b2..445503ba 100644
--- a/webui/src/main/js/advancedSharing.js
+++ b/webui/src/main/js/advancedSharing.js
@@ -150,4 +150,8 @@ var revision = -1
 var pathToDir = new Map()
 
 var sortKey = "Directory"
-var sortOrder = "descending"
\ No newline at end of file
+var sortOrder = "descending"
+
+document.addEventListener("DOMContentLoaded", function() {
+   initAdvancedSharing();
+}, true);
diff --git a/webui/src/main/js/browse.js b/webui/src/main/js/browse.js
index ca83cc04..fbe84cdd 100644
--- a/webui/src/main/js/browse.js
+++ b/webui/src/main/js/browse.js
@@ -318,3 +318,7 @@ function hideComment(infoHash) {
 	var commentSpan = document.getElementById("comment-"+infoHash)
 	commentSpan.innerHTML = ""
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+   initBrowse();
+}, true);
diff --git a/webui/src/main/js/certificates.js b/webui/src/main/js/certificates.js
index cd5d6c04..dac6f42b 100644
--- a/webui/src/main/js/certificates.js
+++ b/webui/src/main/js/certificates.js
@@ -208,3 +208,7 @@ function initCertificates() {
 	setInterval(refreshCertificates, 3000)
 	setTimeout(refreshCertificates, 1)
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+   initCertificates();
+}, true);
diff --git a/webui/src/main/js/conncount.js b/webui/src/main/js/conncount.js
index f0f3ffe8..0a263cb9 100644
--- a/webui/src/main/js/conncount.js
+++ b/webui/src/main/js/conncount.js
@@ -29,3 +29,7 @@ function initConnectionsCount() {
 	setInterval(refreshConnectionsCount, 3000);
 	setTimeout(refreshConnectionsCount, 1);
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+   initConnectionsCount();
+}, true);
diff --git a/webui/src/main/js/download.js b/webui/src/main/js/download.js
index e2c8f03b..a1a4f442 100644
--- a/webui/src/main/js/download.js
+++ b/webui/src/main/js/download.js
@@ -219,3 +219,7 @@ function initDownloads() {
 	setInterval(refreshDownloader, 3000)
 	setTimeout(refreshDownloader,1);
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+   initDownloads();
+}, true);
diff --git a/webui/src/main/js/feeds.js b/webui/src/main/js/feeds.js
index 6a126ff0..ba7c4d52 100644
--- a/webui/src/main/js/feeds.js
+++ b/webui/src/main/js/feeds.js
@@ -400,4 +400,8 @@ var feedsSortOrder = "descending"
 var itemsSortKey = "Name"
 var itemsSortOrder = "descending"
 
-var expandedComments = new Map()
\ No newline at end of file
+var expandedComments = new Map()
+
+document.addEventListener("DOMContentLoaded", function() {
+   initFeeds();
+}, true);
diff --git a/webui/src/main/js/fileDetails.js b/webui/src/main/js/fileDetails.js
index 1857c9fe..6f2575a8 100644
--- a/webui/src/main/js/fileDetails.js
+++ b/webui/src/main/js/fileDetails.js
@@ -237,3 +237,7 @@ var downloadersSortKey = "Downloader"
 var downloadersSortOrder = "descending"
 var certificatesSortKey = "Name"
 var certificatesSortOrder = "descending"
+
+document.addEventListener("DOMContentLoaded", function() {
+   initFileDetails();
+}, true);
diff --git a/webui/src/main/js/files.js b/webui/src/main/js/files.js
index 67df08e1..17f9579f 100644
--- a/webui/src/main/js/files.js
+++ b/webui/src/main/js/files.js
@@ -347,4 +347,8 @@ function unpublish(nodeId) {
 	xmlhttp.open("POST", "/MuWire/Feed", true)
 	xmlhttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
 	xmlhttp.send("action=unpublish&file=" + encodedPath)
-}
\ No newline at end of file
+}
+
+document.addEventListener("DOMContentLoaded", function() {
+   initFiles();
+}, true);
diff --git a/webui/src/main/js/filesTable.js b/webui/src/main/js/filesTable.js
index 52451c52..b853c3d9 100644
--- a/webui/src/main/js/filesTable.js
+++ b/webui/src/main/js/filesTable.js
@@ -141,7 +141,7 @@ function refreshTable() {
 	xmlhttp.send()
 }
 
-function initFiles() {
+function initFilesTable() {
 	setInterval(refreshStatus, 3000)
 	setTimeout(refreshStatus, 1)
 
@@ -239,3 +239,7 @@ function unpublish(path) {
 	xmlhttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
 	xmlhttp.send("action=unpublish&file=" + path)
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+   initFilesTable();
+}, true);
diff --git a/webui/src/main/js/search.js b/webui/src/main/js/search.js
index 000e539a..48d95831 100644
--- a/webui/src/main/js/search.js
+++ b/webui/src/main/js/search.js
@@ -908,3 +908,11 @@ function initGroupByFile() {
 	setInterval ( refreshStatus, 3000);
 	setTimeout ( refreshStatus, 1);
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+    if (bySender) {
+       initGroupBySender();
+    } else {
+       initGroupByFile();
+    }
+}, true);
diff --git a/webui/src/main/js/status.js b/webui/src/main/js/status.js
index 8e5ba2a9..df7d46f4 100644
--- a/webui/src/main/js/status.js
+++ b/webui/src/main/js/status.js
@@ -25,3 +25,7 @@ function initStatus() {
 	setInterval(refreshStatus, 3000);
 	setTimeout(refreshStatus, 1);
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+   initStatus();
+}, true);
diff --git a/webui/src/main/js/translate.js b/webui/src/main/js/translate.js
index a8d0345a..3929f54b 100644
--- a/webui/src/main/js/translate.js
+++ b/webui/src/main/js/translate.js
@@ -27,3 +27,7 @@ function _t(s, p) {
     rv = rv.replace("{0}", p);
     return rv;
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+   initTranslate(jsTranslations);
+}, true);
diff --git a/webui/src/main/js/trustLists.js b/webui/src/main/js/trustLists.js
index 08fdb5dd..0d500288 100644
--- a/webui/src/main/js/trustLists.js
+++ b/webui/src/main/js/trustLists.js
@@ -371,3 +371,7 @@ function initTrustLists() {
 	setTimeout(fetchRevision, 1)
 	setInterval(fetchRevision, 3000)
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+   initTrustLists();
+}, true);
diff --git a/webui/src/main/js/trustUsers.js b/webui/src/main/js/trustUsers.js
index 0a440fa3..cd62b568 100644
--- a/webui/src/main/js/trustUsers.js
+++ b/webui/src/main/js/trustUsers.js
@@ -273,3 +273,7 @@ function initTrustUsers() {
 	setTimeout(fetchRevision, 1)
 	setInterval(fetchRevision, 3000)
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+   initTrustUsers();
+}, true);
diff --git a/webui/src/main/js/upload.js b/webui/src/main/js/upload.js
index 8d1e1d30..84c5d3ba 100644
--- a/webui/src/main/js/upload.js
+++ b/webui/src/main/js/upload.js
@@ -85,3 +85,7 @@ function initUploads() {
 	setInterval(refreshUploads, 3000)
 	setTimeout(refreshUploads,1);
 }
+
+document.addEventListener("DOMContentLoaded", function() {
+   initUploads();
+}, true);
diff --git a/webui/src/main/webapp/AboutMe.jsp b/webui/src/main/webapp/AboutMe.jsp
index b2292473..8f9e8a5b 100644
--- a/webui/src/main/webapp/AboutMe.jsp
+++ b/webui/src/main/webapp/AboutMe.jsp
@@ -19,9 +19,9 @@ Core core = (Core) application.getAttribute("core");
 <html>
     <head>
 <%@include file="css.jsi"%>
-<script src="js/util.js?<%=version%>" type="text/javascript"></script>
-<script src="js/sign.js?<%=version%>" type ="text/javascript"></script>
-<script>
+<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/sign.js?<%=version%>" type ="text/javascript"></script>
+<script nonce="<%=cspNonce%>" type="text/javascript">
 function copyFullId() {
 	copyToClipboard("full-id")
 	alert("Full ID copied to clipboard")
@@ -29,7 +29,7 @@ function copyFullId() {
 openAccordion = 3;
 </script>
     </head>
-    <body onload="initConnectionsCount();">
+    <body>
 <%@include file="header.jsi"%>    	
 	<aside>
 <%@include file="searchbox.jsi"%>    	
diff --git a/webui/src/main/webapp/AdvancedSharing.jsp b/webui/src/main/webapp/AdvancedSharing.jsp
index 62edaec3..0ae354bb 100644
--- a/webui/src/main/webapp/AdvancedSharing.jsp
+++ b/webui/src/main/webapp/AdvancedSharing.jsp
@@ -13,14 +13,14 @@ String helptext = Util._t("Use this page to configure advanced settings for each
 <html>
 	<head>
 <%@ include file="css.jsi"%>
-<script src="js/util.js?<%=version%>" type="text/javascript"></script>
-<script src="js/tables.js?<%=version%> type="text/javascript"></script>
-<script src="js/advancedSharing.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%> type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/advancedSharing.js?<%=version%>" type="text/javascript"></script>
 <script type="text/javascript">
   openAccordion = 2;
 </script>
 	</head>
-	<body onload="initTranslate(jsTranslations); initConnectionsCount(); initAdvancedSharing();">
+	<body>
 <%@ include file="header.jsi"%>
 	    <aside>
 		<div class="menubox-divider"></div>
diff --git a/webui/src/main/webapp/BrowseHost.jsp b/webui/src/main/webapp/BrowseHost.jsp
index 13ee0aca..5f98ec24 100644
--- a/webui/src/main/webapp/BrowseHost.jsp
+++ b/webui/src/main/webapp/BrowseHost.jsp
@@ -22,19 +22,19 @@ if (request.getParameter("currentHost") != null) {
 <html>
 	<head>
 <%@ include file="css.jsi"%>
-<script src="js/util.js?<%=version%>" type="text/javascript"></script>
-<script src="js/certificates.js?<%=version%> type="text/javascript"></script>
-<script src="js/tables.js?<%=version%> type="text/javascript"></script>
-<script src="js/browse.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/certificates.js?<%=version%> type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%> type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/browse.js?<%=version%>" type="text/javascript"></script>
 
 <% if (currentBrowse != null) { %>
-	<script>
+	<script nonce="<%=cspNonce%>" type="text/javascript">
 		currentHost="<%=currentBrowse%>"
 	</script>
 <% } %>
 
 	</head>
-	<body onload="initTranslate(jsTranslations); initConnectionsCount(); initBrowse(); initCertificates();">
+	<body>
 <%@ include file="header.jsi"%>
 	    <aside>
 		<div class="menubox-divider"></div>
diff --git a/webui/src/main/webapp/ConfigurationPage.jsp b/webui/src/main/webapp/ConfigurationPage.jsp
index 1bca0306..24152bbe 100644
--- a/webui/src/main/webapp/ConfigurationPage.jsp
+++ b/webui/src/main/webapp/ConfigurationPage.jsp
@@ -31,7 +31,7 @@ Exception error = (Exception) application.getAttribute("MWConfigError");
   openAccordion = 2;
 </script>
     </head>
-    <body onload="initConnectionsCount();">
+    <body>
 <%@include file="header.jsi"%>    	
 	<aside>
 <%@include file="searchbox.jsi"%>    	
diff --git a/webui/src/main/webapp/Downloads.jsp b/webui/src/main/webapp/Downloads.jsp
index 2c9375fc..8ee7af57 100644
--- a/webui/src/main/webapp/Downloads.jsp
+++ b/webui/src/main/webapp/Downloads.jsp
@@ -18,10 +18,10 @@ String helptext = Util._t("This page shows the files you are currently downloadi
 <html>
     <head>
 <%@include file="css.jsi"%>
-	<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
-    <script src="js/download.js?<%=version%>" type="text/javascript"></script>
+	<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
+    <script nonce="<%=cspNonce%>" src="js/download.js?<%=version%>" type="text/javascript"></script>
     </head>
-    <body onload="initTranslate(jsTranslations); initConnectionsCount(); initDownloads();">
+    <body>
 <%@include file="header.jsi"%>    	
 	<aside>
 <%@include file="searchbox.jsi"%>    	
diff --git a/webui/src/main/webapp/Feeds.jsp b/webui/src/main/webapp/Feeds.jsp
index ffbee04f..24c4fdf9 100644
--- a/webui/src/main/webapp/Feeds.jsp
+++ b/webui/src/main/webapp/Feeds.jsp
@@ -16,13 +16,13 @@ String helptext = Util._t("Every MuWire user can have a file feed to publish sha
 <html>
 	<head>
 <%@ include file="css.jsi"%>
-<script src="js/util.js?<%=version%>" type="text/javascript"></script>
-<script src="js/certificates.js?<%=version%> type="text/javascript"></script>
-<script src="js/tables.js?<%=version%> type="text/javascript"></script>
-<script src="js/feeds.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/certificates.js?<%=version%> type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%> type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/feeds.js?<%=version%>" type="text/javascript"></script>
 
 	</head>
-	<body onload="initTranslate(jsTranslations); initConnectionsCount(); initFeeds(); initCertificates();">
+	<body>
 <%@ include file="header.jsi"%>
 	    <aside>
 		<div class="menubox-divider"></div>
diff --git a/webui/src/main/webapp/FileDetails.jsp b/webui/src/main/webapp/FileDetails.jsp
index 93c4b335..5da0f865 100644
--- a/webui/src/main/webapp/FileDetails.jsp
+++ b/webui/src/main/webapp/FileDetails.jsp
@@ -17,16 +17,16 @@ File file = Util.getFromPathElements(path);
 <html>
 	<head>
 <%@ include file="css.jsi"%>
-<script src="js/util.js?<%=version%>" type="text/javascript"></script>
-<script src="js/tables.js?<%=version%> type="text/javascript"></script>
-<script src="js/fileDetails.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%> type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/fileDetails.js?<%=version%>" type="text/javascript"></script>
 
-<script>
+<script nonce="<%=cspNonce%>" type="text/javascript">
 	path="<%=path%>"
 </script>
 
 	</head>
-	<body onload="initTranslate(jsTranslations); initConnectionsCount(); initFileDetails();">
+	<body>
 <%@ include file="header.jsi"%>
 	    <aside>
 		<div class="menubox-divider"></div>
diff --git a/webui/src/main/webapp/Home.jsp b/webui/src/main/webapp/Home.jsp
index aa865681..e100991f 100644
--- a/webui/src/main/webapp/Home.jsp
+++ b/webui/src/main/webapp/Home.jsp
@@ -32,20 +32,23 @@
 <html>
 	<head>
 <%@include file="css.jsi"%>
-	<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
-	<script src="js/certificates.js?<%=version%>" type="text/javascript"></script>
-	<script src="js/search.js?<%=version%>" type="text/javascript"></script>
+	<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
+	<script nonce="<%=cspNonce%>" src="js/certificates.js?<%=version%>" type="text/javascript"></script>
+	<script nonce="<%=cspNonce%>" type="text/javascript">
+<% if (groupBy.equals("sender")) { %>
+		var bySender = true;
+<% } else { %>
+		var bySender = false;
+<% } %>
+	</script>
+	<script nonce="<%=cspNonce%>" src="js/search.js?<%=version%>" type="text/javascript"></script>
 <% if (request.getParameter("uuid") != null) {%>
-	<script>
+	<script nonce="<%=cspNonce%>" type="text/javascript">
 		uuid="<%=request.getParameter("uuid")%>"
 	</script>
 <% } %>
 	</head>
-<% if (groupBy.equals("sender")) { %>
-		<body onload="initTranslate(jsTranslations); initConnectionsCount(); initGroupBySender(); initCertificates();">
-<% } else { %>
-		<body onload="initTranslate(jsTranslations); initConnectionsCount(); initGroupByFile(); initCertificates();">
-<% } %>
+		<body>
 <%@include file="header.jsi"%>
 		<aside>
 <%@include file="searchbox.jsi"%>    	
diff --git a/webui/src/main/webapp/MuStatus.jsp b/webui/src/main/webapp/MuStatus.jsp
index 67ed7931..4407e9f7 100644
--- a/webui/src/main/webapp/MuStatus.jsp
+++ b/webui/src/main/webapp/MuStatus.jsp
@@ -17,12 +17,12 @@ String buildNumber = (String)application.getAttribute("buildNumber");
 <html>
 	<head>
 <%@ include file="css.jsi"%>
-<script src="js/status.js?<%=version%>" type="text/javascript"></script>
-<script>
+<script nonce="<%=cspNonce%>" src="js/status.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" type="text/javascript">
     openAccordion = 3;
 </script>
 	</head>
-	<body onload="initConnectionsCount(); initStatus();">
+	<body>
 <%@ include file="header.jsi"%>
 	    <aside>
 		<div class="menubox-divider"></div>
diff --git a/webui/src/main/webapp/SharedFiles.jsp b/webui/src/main/webapp/SharedFiles.jsp
index 29dbcbe0..c3eede39 100644
--- a/webui/src/main/webapp/SharedFiles.jsp
+++ b/webui/src/main/webapp/SharedFiles.jsp
@@ -19,16 +19,16 @@ if (viewAs == null)
 <html>
 	<head>
 <%@ include file="css.jsi"%>
-<script src="js/util.js?<%=version%>" type="text/javascript"></script>
-<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
 <% if (viewAs.equals("tree")) { %>
-	<script src="js/files.js?<%=version%>" type="text/javascript"></script>
+	<script nonce="<%=cspNonce%>" src="js/files.js?<%=version%>" type="text/javascript"></script>
 <% } else { %>
-	<script src="js/filesTable.js?<%=version%>" type="text/javascript"></script>
+	<script nonce="<%=cspNonce%>" src="js/filesTable.js?<%=version%>" type="text/javascript"></script>
 <% } %>
 
 	</head>
-	<body onload="initTranslate(jsTranslations); initConnectionsCount(); initFiles();">
+	<body>
 <%@ include file="header.jsi"%>
 	    <aside>
 		<div class="menubox-divider"></div>
diff --git a/webui/src/main/webapp/TrustLists.jsp b/webui/src/main/webapp/TrustLists.jsp
index 26afdad5..1cd4c896 100644
--- a/webui/src/main/webapp/TrustLists.jsp
+++ b/webui/src/main/webapp/TrustLists.jsp
@@ -11,14 +11,14 @@ String helptext = Util._t("This page shows the trust lists of the users you have
 <html>
 	<head>
 <%@ include file="css.jsi"%>
-<script src="js/util.js?<%=version%>" type="text/javascript"></script>
-<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
-<script src="js/trustLists.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/trustLists.js?<%=version%>" type="text/javascript"></script>
 <script type="text/javascript">
   openAccordion = 1;
 </script>
 	</head>
-	<body onload="initTranslate(jsTranslations); initConnectionsCount(); initTrustLists();">
+	<body>
 <%@ include file="header.jsi"%>
 	    <aside>
 <%@include file="sidebar.jsi"%>    	
diff --git a/webui/src/main/webapp/TrustUsers.jsp b/webui/src/main/webapp/TrustUsers.jsp
index 0ca41756..31d78be0 100644
--- a/webui/src/main/webapp/TrustUsers.jsp
+++ b/webui/src/main/webapp/TrustUsers.jsp
@@ -12,14 +12,14 @@ String helptext = Util._t("This page shows the users you have marked as Trusted
 <html>
 	<head>
 <%@ include file="css.jsi"%>
-<script src="js/util.js?<%=version%>" type="text/javascript"></script>
-<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
-<script src="js/trustUsers.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/util.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" src="js/trustUsers.js?<%=version%>" type="text/javascript"></script>
 <script type="text/javascript">
   openAccordion = 1;
 </script>
 	</head>
-	<body onload="initTranslate(jsTranslations); initConnectionsCount(); initTrustUsers();">
+	<body>
 <%@ include file="header.jsi"%>
 	    <aside>
 <%@include file="sidebar.jsi"%>    	
diff --git a/webui/src/main/webapp/Uploads.jsp b/webui/src/main/webapp/Uploads.jsp
index e9040e56..c23683b9 100644
--- a/webui/src/main/webapp/Uploads.jsp
+++ b/webui/src/main/webapp/Uploads.jsp
@@ -18,10 +18,10 @@ String helptext = Util._t("This page shows the files you are currently uploading
 <html>
     <head>
 <%@include file="css.jsi"%>
-	<script src="js/tables.js?<%=version%>" type="text/javascript"></script>
-    <script src="js/upload.js?<%=version%>" type="text/javascript"></script>
+	<script nonce="<%=cspNonce%>" src="js/tables.js?<%=version%>" type="text/javascript"></script>
+    <script nonce="<%=cspNonce%>" src="js/upload.js?<%=version%>" type="text/javascript"></script>
     </head>
-    <body onload="initTranslate(jsTranslations); initConnectionsCount(); initUploads();">
+    <body>
 <%@include file="header.jsi"%>    	
 	<aside>
 <%@include file="searchbox.jsi"%>    	
diff --git a/webui/src/main/webapp/css.jsi b/webui/src/main/webapp/css.jsi
index 0154f71c..f2b69173 100644
--- a/webui/src/main/webapp/css.jsi
+++ b/webui/src/main/webapp/css.jsi
@@ -1,10 +1,22 @@
+<%
+
+   String cspNonce = Integer.toHexString(net.i2p.util.RandomSource.getInstance().nextInt());
+
+   response.setHeader("X-Frame-Options", "SAMEORIGIN");
+   // TODO after removing innterHTML: script-src 'self' 'unsafe-inline' 'nonce-" + cspNonce + "'
+   response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
+   response.setHeader("X-XSS-Protection", "1; mode=block");
+   response.setHeader("X-Content-Type-Options", "nosniff");
+   response.setHeader("Accept-Ranges", "none");
+   response.setHeader("Referrer-Policy", "no-referrer");
+%>
 <title>MuWire ${version}</title>
 <link href="i2pbote.css?${version}" rel="stylesheet" type="text/css">
 <link href="muwire.css?${version}" rel="stylesheet" type="text/css">
 <link rel="icon" type="image/png" href="images/muwire.png" />
-<script src="js/conncount.js?${version}" type="text/javascript"></script>
-<script src="js/translate.js?${version}" type="text/javascript"></script>
-<script src="js/accordion.js?${version}" type="text/javascript"></script>
-<script type="text/javascript">
+<script src="js/conncount.js?${version}" nonce="<%=cspNonce%>" type="text/javascript"></script>
+<script src="js/translate.js?${version}" nonce="<%=cspNonce%>" type="text/javascript"></script>
+<script src="js/accordion.js?${version}" nonce="<%=cspNonce%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" type="text/javascript">
   var jsTranslations = '<%=Util.getJSTranslations()%>';
 </script>