From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by mandoc.bsd.lv (OpenSMTPD) with ESMTP id 000a7861 for ; Sun, 10 Nov 2019 03:59:25 -0500 (EST) Received: by mail-pg1-f176.google.com with SMTP id r18so7019318pgu.13 for ; Sun, 10 Nov 2019 00:59:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cathet-us.20150623.gappssmtp.com; s=20150623; h=sender:from:to:cc:subject:mime-version:content-id:date:message-id; bh=UdlK34YsIlFqb/hVjKhCSyMWdJJfJLnxAYNGRM5tV8U=; b=w5Vss/RJZDMF3VlJld28fVs2eTB/bmY9lbkrjT/7I+7zkxOMZRMqZlETkj9bPB26e6 eD2mtDa5NhY67/nvWQTyqgazTTeIz0u1F0f6qoUU96+7jKaGZYnLRoPrYKgsCknWlDQ4 zaDAHKQgO6eYCH9Ff/v6bQxl/DEefmixRWkoTIwq1/ZDtehrTAf+w5zBwbEeWyQSojXf +Vqk0/t2rLxKVjTLtmI1nVvBW7xbdlYVF+c+4Q8/i6j6LiGwT+P9DVdjrOugxq0OJ2jm bD7DqPhrHgifY/PxvD5eS1w/5SrXFpgAAb2yIEQZw3OnwHhdO6vpW5S6fVCLqZTYFDo2 669Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:mime-version :content-id:date:message-id; bh=UdlK34YsIlFqb/hVjKhCSyMWdJJfJLnxAYNGRM5tV8U=; b=CjsdarT7ke32zwVoC4e9Ey51mNjNqslaCa6Gh4nYp/llbqUIwTKy0H1tIuGrm99Ahw HMfJ8yoNmgr9RNxRsiRiWusNor0+RlpJIi+YYWxNM1AJoTWpqYcuhRV6YLM5t89iTRja v3Y3+skAA0KR937X6V09IFep/e+PZUCUG4tIYcGrr2Dg3EhYneE3WWvepzByvTPF3wSV 5su7jOZ4xo2nOrUe4eRiNpO93k4EFE7oG3wE914pj+EC5rvjqh+Jp5SQKwnUkWksts2B CXsJ6UAxdJEldizMiJufM3IcuS/C3g4AJb8j3Mb76v5Ijfdm/Ud3M3vACBMGY7FrQnNl BCMQ== X-Gm-Message-State: APjAAAVsenQZD8kuGiGbg8cAi4182Xs0eh7BFFUxsd/sMlFJieSvS5N1 N6CWPF5+3B6X3DhV/UMgzu/W1BQTolU= X-Google-Smtp-Source: APXvYqx2a39zkUh1wBQmglfjlwq9xr7B0W2ZLXm0mLgprQjDMsdNvcqofOBY9pIjoxB7DChMvZxj4Q== X-Received: by 2002:a62:2fc6:: with SMTP id v189mr23004590pfv.188.1573376363536; Sun, 10 Nov 2019 00:59:23 -0800 (PST) Received: from desktop.ajb.soy (174-28-243-81.albq.qwest.net. [174.28.243.81]) by smtp.gmail.com with ESMTPSA id 193sm13451166pfv.18.2019.11.10.00.59.22 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 10 Nov 2019 00:59:23 -0800 (PST) Sender: "Anthony J. Bentley" Received: from desktop.ajb.soy (localhost [127.0.0.1]) by desktop.ajb.soy (OpenSMTPD) with ESMTP id 61ffe0f6; Sun, 10 Nov 2019 01:59:21 -0700 (MST) From: "Anthony J. Bentley" To: tech@mandoc.bsd.lv cc: schwarze@usta.de Subject: Content-Security-Policy for man.cgi X-Mailinglist: mandoc-tech Reply-To: tech@mandoc.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <81318.1573376361.1@desktop.ajb.soy> Date: Sun, 10 Nov 2019 01:59:21 -0700 Message-ID: <37020-1573376361.432557@hhtH.9ww_.rVWG> Hi, Modern browsers respect the Content-Security-Policy header, which restricts where dynamic resources like CSS and JavaScript can be specified in an HTML document. Since man.openbsd.org hosts manuals from many sources, and there's always danger of a bug in mandoc that allows dangerous HTML content through, a policy of "default-src 'none'; style-src 'self'" would be appropriate: this allows external stylesheets loaded from a URL on the same domain, but prohibits external links and inline CSS; scripts are not allowed at all. (mandoc(1) no longer generates inline styles at all, right?) Index: cgi.c =================================================================== RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v retrieving revision 1.106 diff -u -p -r1.106 cgi.c --- cgi.c 1 Oct 2019 17:54:04 -0000 1.106 +++ cgi.c 10 Nov 2019 08:48:46 -0000 @@ -336,6 +336,7 @@ resp_begin_http(int code, const char *ms printf("Content-Type: text/html; charset=utf-8\r\n" "Cache-Control: no-cache\r\n" + "Content-Security-Policy: default-src 'none'; style-src 'self';\r\n" "Pragma: no-cache\r\n" "\r\n"); -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv