Wapp

Check-in [c366208c59]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Documentation updates. No changes to code.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: c366208c5988d76b1c742ff48a6cedc3c9f3c8d704b948db0f8e436adc5d3851
User & Date: drh 2019-07-30 15:35:42
Context
2019-07-30
17:47
More details in the explanation of how %-subsitutions work. check-in: 568d7c208d user: drh tags: trunk
15:35
Documentation updates. No changes to code. check-in: c366208c59 user: drh tags: trunk
15:34
Use "info command" instead of "info proc". Ticket [88807f83a6d9ddfd] check-in: 359e3e19e9 user: drh tags: trunk
2019-07-29
19:51
Documentation updates. No changes to code. Leaf check-in: 255f9ed52a user: drh tags: tcltls
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to docs/commands.md.

118
119
120
121
122
123
124
125









126
127
128
129
130
131
132
  +  <a name='csp'></a>**wapp-content-security-policy** _POLICY_  
     Set the Content Security Policy (hereafter "CSP") to _POLICY_.  The
     default CSP is _default\_src 'self'_, which is very restrictive.  The
     default CSP disallows (a) loading any resources from other origins,
     (b) the use of eval(), and (c) in-line javascript or CSS of any kind.
     Set _POLICY_ to "off" to completely disable the CSP mechanism.  Or
     specify some other policy suitable for the needs of the application.











  +  <a name="debug-env"></a>**wapp-debug-env**  
     This routine returns text that describes all of the Wapp parameters.
     Use it to get a parameter dump for troubleshooting purposes.

  +  **wapp** _TEXT_  
     Add _TEXT_ to the web page output currently under construction.  _TEXT_







<
>
>
>
>
>
>
>
>
>







118
119
120
121
122
123
124

125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
  +  <a name='csp'></a>**wapp-content-security-policy** _POLICY_  
     Set the Content Security Policy (hereafter "CSP") to _POLICY_.  The
     default CSP is _default\_src 'self'_, which is very restrictive.  The
     default CSP disallows (a) loading any resources from other origins,
     (b) the use of eval(), and (c) in-line javascript or CSS of any kind.
     Set _POLICY_ to "off" to completely disable the CSP mechanism.  Or
     specify some other policy suitable for the needs of the application.

     <p>The following allows inline images using
     &lt;img src='data:...'&gt; and inline "style='...'" attributes,
     but restricts all other attack vectors and thus seems to be a good
     choice for many applications:
     <blockquote><pre>
     wapp-content-security-policy {
        default-src 'self' data:;
        style-src 'self' 'unsafe-inline';
     }</pre><blockquote>

  +  <a name="debug-env"></a>**wapp-debug-env**  
     This routine returns text that describes all of the Wapp parameters.
     Use it to get a parameter dump for troubleshooting purposes.

  +  **wapp** _TEXT_  
     Add _TEXT_ to the web page output currently under construction.  _TEXT_

Changes to docs/params.md.

124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
clicking on a hyperlink or form on a page that was generated by the
same website.
Manually typing in a URL does not constitute the "same origin".  Hence,
in the "env.tcl" example above the "wapp-allow-xorigin-params" interface
is used so that you can manually extend the URL to add new query parameters.

If query parameters can have side effects, then you should omit the
wapp-allow-xorigin-params call.  Only invoke wapp-allow-xorigin-params
for web pages that only query information.  Do not invoke
wapp-allow-xorigin-params on pages where the parameters can be used
to change server-side state.

<a name='cgidetail'></a>
3.0 CGI Parameter Details [(Quick reference)](quickref.md#cgiparams)
-------------------------

The CGI parameters in Wapp describe the HTTP request that is to be answered
and the execution environment.







|
|
|
<







124
125
126
127
128
129
130
131
132
133

134
135
136
137
138
139
140
clicking on a hyperlink or form on a page that was generated by the
same website.
Manually typing in a URL does not constitute the "same origin".  Hence,
in the "env.tcl" example above the "wapp-allow-xorigin-params" interface
is used so that you can manually extend the URL to add new query parameters.

If query parameters can have side effects, then you should omit the
wapp-allow-xorigin-params call.  The wapp-allow-xorigin-params command
is safe for read-only web pages.  Do not invoke wapp-allow-xorigin-params
on pages where the parameters can be used to change server state.


<a name='cgidetail'></a>
3.0 CGI Parameter Details [(Quick reference)](quickref.md#cgiparams)
-------------------------

The CGI parameters in Wapp describe the HTTP request that is to be answered
and the execution environment.