diff --git a/todo.md b/todo.md index 16c8e91..7f5c6d0 100644 --- a/todo.md +++ b/todo.md @@ -12,3 +12,5 @@ * Maybe add a DNS/Domains page and require users to add domains their before they can use them for tunnels. This creates a natural place to explain what is wrong when domain stuff breaks. +* Responses to unauthorized requests are leaking information about the current + tunnels through the genereated CSS. diff --git a/ui_handler.go b/ui_handler.go index 2be6140..4f2fa2e 100644 --- a/ui_handler.go +++ b/ui_handler.go @@ -272,7 +272,7 @@ func (h *WebUiHandler) handleWebUiRequest(w http.ResponseWriter, r *http.Request return } - http.Redirect(w, r, "/#/tunnels", 307) + //http.Redirect(w, r, "/#/tunnels", 307) case "/tokens": h.handleTokens(w, r, user, tokenData) diff --git a/webui/index.tmpl b/webui/index.tmpl index cce21f3..460ec18 100644 --- a/webui/index.tmpl +++ b/webui/index.tmpl @@ -21,15 +21,35 @@
{{range $domain, $tunnel:= .Tunnels}} +
{{$domain}}:{{$tunnel.TunnelPort}} -> {{$tunnel.ClientName}}:{{$tunnel.ClientPort}}
-
+ + +
+ + +
+

+ Are you sure you want to delete {{$domain}}? +

+
+ +
+
+
{{end}}
@@ -114,27 +134,5 @@
{{end}} - - {{range $domain, $tunnel:= .Tunnels}} - -
- - -
-

- Are you sure you want to delete {{$domain}}? -

-
-
- - -
- -
-
-
- {{end}} - diff --git a/webui/styles.css b/webui/styles.css index b38a6e5..78045c4 100644 --- a/webui/styles.css +++ b/webui/styles.css @@ -49,6 +49,10 @@ main { color: #000; } +.toggle { + display: none; +} + #menu-toggle { display: none; } @@ -160,12 +164,24 @@ main *:target { } {{range $domain, $tunnel:= .Tunnels}} -#toggle-tunnel-delete-{{$tunnel.CssId}} { +#toggle-tunnel-delete-dialog-{{$tunnel.CssId}} { display: none; } -#toggle-tunnel-delete-{{$tunnel.CssId}}:checked + .confirm-dialog { +#toggle-tunnel-delete-dialog-{{$tunnel.CssId}}:checked + .confirm-dialog { display: block; } + +#toggle-tunnel-hide-deleted-{{$tunnel.CssId}}:checked + .list-item { + /* This is a trick to make the delete request after the delete button is + * clicked. The background will never actually be displayed, because it's + * moved offscreen. */ + position: absolute; + left: -999em; + background: url("/delete-tunnel?domain={{$domain}}"); +} +#toggle-tunnel-hide-deleted-{{$tunnel.CssId}}:checked ~ .confirm-dialog { + display: none; +} {{end}} @media (min-width: 900px) {