From ea8587578a410c09ea18d08666a7b8398ac3c705 Mon Sep 17 00:00:00 2001
From: Ilia Rostovtsev <ilia@rostovtsev.io>
Date: Sun, 28 Mar 2021 14:17:48 +0300
Subject: [PATCH 1/3] UI reposition network buffer option

---
 webmin/edit_advanced.cgi | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/webmin/edit_advanced.cgi b/webmin/edit_advanced.cgi
index 08d96503a..7d24b2bb9 100755
--- a/webmin/edit_advanced.cgi
+++ b/webmin/edit_advanced.cgi
@@ -73,6 +73,11 @@ if (&has_command("chattr")) {
 		    &ui_yesno_radio("chattr", $gconfig{'chattr'}));
 	}
 
+# Network buffer size
+print &ui_table_row($text{'advanced_bufsize'},
+	&ui_opt_textbox("bufsize", $miniserv{'bufsize'}, 6,
+			$text{'default'}." (32768)"));
+
 # Nice level for cron jobs
 if (&foreign_check("proc")) {
 	&foreign_require("proc", "proc-lib.pl");
@@ -107,12 +112,6 @@ print &ui_table_row($text{'advanced_headers'},
 print &ui_table_row($text{'advanced_sortconfigs'},
 	&ui_yesno_radio("sortconfigs", $gconfig{'sortconfigs'}));
 
-# Network buffer size
-print &ui_table_row($text{'advanced_bufsize'},
-	&ui_opt_textbox("bufsize", $miniserv{'bufsize'}, 6,
-			$text{'default'}." (32768)"));
-
-
 print &ui_table_end();
 print &ui_form_end([ [ "save", $text{'save'} ] ]);
 

From 39b14afb7e807193460ebf202ec0a22dea99a828 Mon Sep 17 00:00:00 2001
From: Ilia Rostovtsev <ilia@rostovtsev.io>
Date: Sun, 28 Mar 2021 16:44:06 +0300
Subject: [PATCH 2/3] Theme needs a control over `x-no-links` header

---
 web-lib-funcs.pl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index 01a3cd712..490cd0f0a 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -961,6 +961,9 @@ if (!$gconfig{'no_content_security_policy'}) {
 	print "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-src 'self'; child-src 'self'\n";
 	}
 print "X-Content-Type-Options: nosniff\n";
+if ($tconfig{'nolinks'}) {
+	print "X-no-links: 1\n";
+	}
 if (defined($cs)) {
 	print "Content-type: $mt; Charset=$cs\n\n";
 	}

From 4cb4177ae6425d59de450356006963df905fcde8 Mon Sep 17 00:00:00 2001
From: Ilia Rostovtsev <ilia@rostovtsev.io>
Date: Mon, 29 Mar 2021 15:19:37 +0300
Subject: [PATCH 3/3] Fix to prevent sending CSP if defined in custom headers
 or by theme

---
 web-lib-funcs.pl | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index 490cd0f0a..1afde39f7 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -957,8 +957,14 @@ if ($gconfig{'extra_headers'}) {
 if (!$gconfig{'no_frame_options'}) {
 	print "X-Frame-Options: SAMEORIGIN\n";
 	}
-if (!$gconfig{'no_content_security_policy'}) {
-	print "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-src 'self'; child-src 'self'\n";
+if (!$gconfig{'no_content_security_policy'} &&
+	 $gconfig{'extra_headers'} !~ /Content-Security-Policy:/) {
+	if ($tconfig{'csp_headers'}) {
+		print "Content-Security-Policy: $tconfig{'csp_headers'}\n";
+		} 
+	else {
+		print "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-src 'self'; child-src 'self'\n";
+		}
 	}
 print "X-Content-Type-Options: nosniff\n";
 if ($tconfig{'nolinks'}) {