Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Correction and clarification of the use of unsafe-inline for style in the "defcsp.md" document. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
baecb63d9b904ef4633affe9c120916f |
User & Date: | drh 2019-10-01 16:57:40.148 |
Context
2019-10-01
| ||
18:11 | Use double-quotes instead of single-quotes for the argument to "git export" in the "fossil git export" command, for windows compatibility. ... (check-in: be7c1bde user: drh tags: trunk) | |
16:57 | Correction and clarification of the use of unsafe-inline for style in the "defcsp.md" document. ... (check-in: baecb63d user: drh tags: trunk) | |
13:44 | Several small tweaks to defcsp.md ... (check-in: e73901f1 user: wyoung tags: trunk) | |
Changes
Changes to www/defcsp.md.
︙ | ︙ | |||
91 92 93 94 95 96 97 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' This policy allows CSS information to come from separate files hosted under the Fossil repo server’s Internet domain. It also allows inline CSS `<style>` tags within the document text. | | | | | | | | | < < < | | 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' This policy allows CSS information to come from separate files hosted under the Fossil repo server’s Internet domain. It also allows inline CSS `<style>` tags within the document text. The `'unsafe-inline'` declaration allows CSS within individual HTML elements: <p style="margin-left: 4em">Indented text.</p> As the "`unsafe-`" prefix on the name implies, the `'unsafe-inline'` feature is suboptimal for security. However, there are a few places in the Fossil-generated HTML that benefit from this flexibility and the work-arounds are verbose and difficult to maintain. Futhermore, the harm that can be done with style injections is far less than the harm possible with injected javascript. And so the `'unsafe-inline'` compromise is accepted for now, though it might go away in some future release of Fossil. ### <a name="script"></a> script-src 'self' 'nonce-%s' This policy disables in-line JavaScript and only allows `<script>` elements if the `<script>` includes a `nonce` attribute that matches the one declared by the CSP. That nonce is a large random number, unique for each HTTP page generated by Fossil, so an attacker cannot guess the |
︙ | ︙ |