From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from localhost (mandoc.bsd.lv [local])
	by mandoc.bsd.lv (OpenSMTPD) with ESMTPA id 5b2c7c70
	for <source@mandoc.bsd.lv>;
	Thu, 7 Nov 2019 17:58:48 -0500 (EST)
Date: Thu, 7 Nov 2019 17:58:48 -0500 (EST)
X-Mailinglist: mandoc-source
Reply-To: source@mandoc.bsd.lv
MIME-Version: 1.0
From: schwarze@mandoc.bsd.lv
To: source@mandoc.bsd.lv
Subject: cvsweb: For defense-in-depth against XSS attacks, add a 
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8
Message-ID: <8d0763a6a67c8b1a@mandoc.bsd.lv>

Log Message:
-----------
For defense-in-depth against XSS attacks, add a Content-Security-Policy
Response header as a second layer mitigation.  Basic idea suggested
by sthen@.

Tags:
----
FreeBSD-cvsweb-2_0-branch

Modified Files:
--------------
    cvsweb:
        cvsweb.cgi

Revision Data
-------------
Index: cvsweb.cgi
===================================================================
RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v
retrieving revision 3.119.2.22
retrieving revision 3.119.2.23
diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.22 -r3.119.2.23
--- cvsweb.cgi
+++ cvsweb.cgi
@@ -3558,8 +3558,14 @@ sub http_header(;$) {
 
 	if ($is_mod_perl) {
 		Apache->request->content_type($content_type);
+		Apache->request->header_out("Content-Security-Policy" =>
+		    "default-src 'none'; image-src 'self'; " .
+		    "style-src 'self' 'unsafe-inline'");
 	} else {
 		print "Content-Type: $content_type\r\n";
+		print "Content-Security-Policy: ",
+		    "default-src 'none'; image-src 'self'; ",
+		    "style-src 'self' 'unsafe-inline';\r\n";
 	}
 
 	if ($allow_compress && $maycompress) {
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv