Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | This should demonstrate a behavior of inline STYLE tags. Notice gray background of PRE elements in www/defcsp.md and the lack of it in www/webui.wiki. See forum thread 69f475cf48. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | inline-style-inconsistency |
| Files: | files | file ages | folders |
| SHA3-256: |
1d276f7b234440d525bd55da35e4aa02 |
| User & Date: | george 2021-06-19 20:58:33 |
| Original Comment: | This should demonstraite a behavior of inline STYLE tags. Notice gray background of elements in www/defcsp.md and the lack of it in www/webui.wiki. See forum thread 69f475cf48. |
Context
|
2021-06-19
| ||
| 20:58 | This should demonstrate a behavior of inline STYLE tags. Notice gray background of PRE elements in www/defcsp.md and the lack of it in www/webui.wiki. See forum thread 69f475cf48. ... (Leaf check-in: 1d276f7b user: george tags: inline-style-inconsistency) | |
| 02:29 | Fix a possible "use-after-free" while rendering a /file page for the case when "ci" parameter is missing. This is a preliminary fix, it may introduce a (tiny) memory leak. ... (check-in: a6477bca user: george tags: trunk) | |
Changes
Changes to www/defcsp.md.
| ︙ | ︙ | |||
16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
For example, Fossil purposely breaks `<script>` tags when it finds
them in Markdown and Fossil Wiki documents. And the Fossil build
process scans the source code for potential injection vulnerabilities
and refuses to compile if any problems are found.
However, CSP provides an additional layer of defense against undetected
bugs that might lead to a vulnerability.
## The Default Restrictions
The default CSP used by Fossil is as follows:
<pre>
default-src 'self' data:;
script-src 'self' 'nonce-$nonce';
| > > > > > > > | 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
For example, Fossil purposely breaks `<script>` tags when it finds
them in Markdown and Fossil Wiki documents. And the Fossil build
process scans the source code for potential injection vulnerabilities
and refuses to compile if any problems are found.
However, CSP provides an additional layer of defense against undetected
bugs that might lead to a vulnerability.
<style>
div.content pre {
background: #cccccc;
padding: 0.25em;
}
</style>
## The Default Restrictions
The default CSP used by Fossil is as follows:
<pre>
default-src 'self' data:;
script-src 'self' 'nonce-$nonce';
|
| ︙ | ︙ |
Changes to www/webui.wiki.
| ︙ | ︙ | |||
29 30 31 32 33 34 35 36 37 38 39 40 41 42 | self-contained, stand-alone Fossil executable. As an example of how useful this web interface can be, the entire [./index.wiki | Fossil website], including the document you are now reading, is rendered using the Fossil web interface, with no enhancements, and little customization. <blockquote> <b>Key point:</b> <i>The Fossil website is just a running instance of Fossil! </blockquote> Note also that because Fossil is a distributed system, you can run | > > > > > > > > | 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
self-contained, stand-alone Fossil executable.
As an example of how useful this web interface can be,
the entire [./index.wiki | Fossil website],
including the document you are now reading,
is rendered using the Fossil web interface, with no enhancements,
and little customization.
<style>
div.content pre {
background: #cccccc;
padding: 0.25em;
}
</style>
<blockquote>
<b>Key point:</b> <i>The Fossil website is just a running instance
of Fossil!
</blockquote>
Note also that because Fossil is a distributed system, you can run
|
| ︙ | ︙ |