Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Correction and clarification of the use of unsafe-inline for style in the "defcsp.md" document. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
baecb63d9b904ef4633affe9c120916f |
| User & Date: | drh 2019-10-01 16:57:40 |
Context
|
2019-10-01
| ||
| 18:11 | Use double-quotes instead of single-quotes for the argument to "git export" in the "fossil git export" command, for windows compatibility. (check-in: be7c1bde user: drh tags: trunk) | |
| 16:57 | Correction and clarification of the use of unsafe-inline for style in the "defcsp.md" document. (check-in: baecb63d user: drh tags: trunk) | |
| 13:44 | Several small tweaks to defcsp.md (check-in: e73901f1 user: wyoung tags: trunk) | |
Changes
Changes to www/defcsp.md.
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
### <a name="style"></a> style-src 'self' 'unsafe-inline' This policy allows CSS information to come from separate files hosted under the Fossil repo server’s Internet domain. It also allows inline CSS `<style>` tags within the document text. The `'unsafe-inline'` declaration excludes CSS within individual HTML elements: <p style="margin-left: 4em">Indented text.</p> Because this policy is weaker than [our default for script elements](#script), there is the potential for an atacker to modify a Fossil-generated page via CSS. While such page modifications are not as dangerous as injected JavaScript, the real reason we allow it is that Fossil still emits in-page `<style>` blocks in a few places. Over time, we may work out ways to avoid each of these, which will eventually allow us to tighten this CSP rule down to match the `script` rule. We recommend that you do your own CSS modifications [via the skin][cs] rather than depend on the ability to insert `<script>` blocks into individual pages. ### <a name="script"></a> script-src 'self' 'nonce-%s' This policy disables in-line JavaScript and only allows `<script>` elements if the `<script>` includes a `nonce` attribute that matches the one declared by the CSP. That nonce is a large random number, unique for each HTTP page generated by Fossil, so an attacker cannot guess the |
| | | | | | | | | < < < |
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
### <a name="style"></a> style-src 'self' 'unsafe-inline' This policy allows CSS information to come from separate files hosted under the Fossil repo server’s Internet domain. It also allows inline CSS `<style>` tags within the document text. The `'unsafe-inline'` declaration allows CSS within individual HTML elements: <p style="margin-left: 4em">Indented text.</p> As the "`unsafe-`" prefix on the name implies, the `'unsafe-inline'` feature is suboptimal for security. However, there are a few places in the Fossil-generated HTML that benefit from this flexibility and the work-arounds are verbose and difficult to maintain. Futhermore, the harm that can be done with style injections is far less than the harm possible with injected javascript. And so the `'unsafe-inline'` compromise is accepted for now, though it might go away in some future release of Fossil. ### <a name="script"></a> script-src 'self' 'nonce-%s' This policy disables in-line JavaScript and only allows `<script>` elements if the `<script>` includes a `nonce` attribute that matches the one declared by the CSP. That nonce is a large random number, unique for each HTTP page generated by Fossil, so an attacker cannot guess the |