hold session key in POST data

[httpchat] / index.cgi

diff --git a/index.cgi b/index.cgi
index 16bd9044053803c2ca16b840b5514ab3fde9d106..f44d288db0e41ba30f093e2a1c485424b61172ed 100755 (executable)
--- a/index.cgi
+++ b/index.cgi
@@ -2,6 +2,7 @@
 
 _EXEC=.
 _DATA=.
+SESSION_TIMEOUT=43200
 . "$_EXEC/cgilite/logging.sh"
 . "$_EXEC/cgilite/cgilite.sh"
 . "$_EXEC/cgilite/session.sh"
@@ -13,7 +14,9 @@ LOCATION="${LOCATION%%/*}"
 
 yield_page(){
   page="$1"
-  printf 'Content-Type: text/html; charset=utf-8\r\n\r\n'
+  printf '%s\r\n' 'Content-Type: text/html; charset=utf-8' \
+                  "Content-Security-Policy: script-src 'none'" \
+                  ''
   { printf '[html
     [head
       [meta name="viewport" content="width=device-width"]
@@ -30,11 +33,12 @@ yield_page(){
 settings_menu(){
   printf '
     [form #settings method="POST" action="?"
+      [hidden "session_key" "%s"]
       [h1 Settings][a .settings href="?" Close]'
   printf '
       [a .section href="#nick" Nickname]
       [div #nick [input name="nickname" value="%s"][submit "action" "nick" Set Cookie]]
-  ' "$(HTML "${nickname#\?}")"
+  ' "$SESSION_KEY" "$(HTML "${nickname#\?}")"
   printf '
       [a .section href="#register" Register Nickname]
       [div #register
@@ -54,7 +58,7 @@ case ${LOCATION} in
     exit 0
     ;;
   \&?*)
-    chatfile="$_DATA/${LOCATION}"
+    chatfile="$_DATA/${LOCATION}/channel"
     . "$_EXEC/channel.sh"
     exit 0
     ;;