Tighten the content security policies for profiles.

Use template variables instead of CSS variables in Nox for better browser backwards compatibility.
Emit a local error instead of an internal error when submitting an activation token as a guest or invalid user.
Moved the inline profile scripts into profile_member.js

public/profile_member.js

@@ -0,0 +1,18 @@
+function handle_profile_hashbit() {
+	var hash_class = "";
+	switch(window.location.hash.substr(1)) {
+		case "ban_user":
+			hash_class = "ban_user_hash";
+			break;
+		default:
+			console.log("Unknown hashbit");
+			return;
+	}
+	$(".hash_hide").hide();
+	$("." + hash_class).show();
+}
+
+$(document).ready(() => {
+	if(window.location.hash) handle_profile_hashbit();
+	window.addEventListener("hashchange", handle_profile_hashbit, false);
+});

routes/account.go

@@ -673,7 +673,7 @@ func AccountEditEmailTokenSubmit(w http.ResponseWriter, r *http.Request, user co
 	targetEmail := common.Email{UserID: user.ID}
 	emails, err := common.Emails.GetEmailsByUser(&user)
 	if err != nil {
-		return common.InternalError(err, w, r)
+		return common.LocalError("You are not logged in", w, r, user)
 	}
 	for _, email := range emails {
 		if email.Token == token {

routes/profile.go

@@ -31,7 +31,7 @@ func init() {
 func ViewProfile(w http.ResponseWriter, r *http.Request, user common.User, header *common.Header) common.RouteError {
 	// TODO: Preload this?
 	header.AddSheet(header.Theme.Name + "/profile.css")
-	header.LooseCSP = true
+	header.AddScript("profile_member.js")
 
 	var err error
 	var replyCreatedAt time.Time

templates/profile.html

@@ -114,26 +114,4 @@
 
 </div>
 
-{{if .CurrentUser.Loggedin}}
-{{/** Quick subpage switcher **/}}
-{{/** TODO: Stop inlining this **/}}
-<script type="text/javascript">
-function handle_profile_hashbit() {
-	var hash_class = ""
-	switch(window.location.hash.substr(1)) {
-		case "ban_user":
-			hash_class = "ban_user_hash"
-			break
-		default:
-			console.log("Unknown hashbit")
-			return
-	}
-	$(".hash_hide").hide()
-	$("." + hash_class).show()
-}
-if(window.location.hash) handle_profile_hashbit()
-window.addEventListener("hashchange", handle_profile_hashbit, false)
-</script>
-{{end}}
-
 {{template "footer.html" . }}

themes/nox/public/main.css

@@ -1,9 +1,6 @@
-:root {
+{{$darkest_bg := "#222222"}}
-	--darkest-background: #222222;
+{{$second_dark_bg := "#292929"}}
-	--second-dark-background: #292929;
+{{$third_dark_bg := "#333333"}}
-	--third-dark-background: #333333;
-}
-
 * {
 	box-sizing: border-box;
 }
@@ -11,7 +8,7 @@ body {
 	margin: 0px;
 	padding: 0px;
 	color: #AAAAAA;
-	background-color: var(--darkest-background);
+	background-color: {{$darkest_bg}};
 	font-family: "Segoe UI";
 }
 a {
@@ -20,7 +17,7 @@ a {
 }
 
 nav.nav {
-	background: var(--darkest-background);
+	background: {{$darkest_bg}};
 	width: calc(100% - 200px);
 	float: left;
 }
@@ -103,7 +100,7 @@ li a {
 .right_of_nav {
 	float: left;
 	width: 200px;
-	background-color: var(--darkest-background);
+	background-color: {{$darkest_bg}};
 	padding-top: 12px;
 	padding-bottom: 12px;
 	padding-right: 12px;
@@ -112,7 +109,7 @@ li a {
 	display: flex;
 	flex-direction: row;
 	border-radius: 3px;
-	background-color: var(--third-dark-background);
+	background-color: {{$third_dark_bg}};
 	padding-top: 11px;
 	padding-bottom: 11px;
 	padding-left: 12px;
@@ -143,7 +140,7 @@ li a {
 	clear: both;
 }
 #back {
-	background: var(--third-dark-background);
+	background: {{$third_dark_bg}};
 	padding: 24px;
 	padding-top: 12px;
 	clear: both;
@@ -1294,7 +1291,7 @@ input[type=checkbox]:checked + label .sel {
 
 @media(min-width: 1010px) {
 	.container {
-		background-color: var(--second-dark-background);
+		background-color: {{$second_dark_bg}};
 	}
 	#back, .footer {
 		width: 1000px;