* cvsweb: For defense-in-depth against XSS attacks, add a
@ 2019-11-07 22:58 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2019-11-07 22:58 UTC (permalink / raw)
To: source
Log Message:
-----------
For defense-in-depth against XSS attacks, add a Content-Security-Policy
Response header as a second layer mitigation. Basic idea suggested
by sthen@.
Tags:
----
FreeBSD-cvsweb-2_0-branch
Modified Files:
--------------
cvsweb:
cvsweb.cgi
Revision Data
-------------
Index: cvsweb.cgi
===================================================================
RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v
retrieving revision 3.119.2.22
retrieving revision 3.119.2.23
diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.22 -r3.119.2.23
--- cvsweb.cgi
+++ cvsweb.cgi
@@ -3558,8 +3558,14 @@ sub http_header(;$) {
if ($is_mod_perl) {
Apache->request->content_type($content_type);
+ Apache->request->header_out("Content-Security-Policy" =>
+ "default-src 'none'; image-src 'self'; " .
+ "style-src 'self' 'unsafe-inline'");
} else {
print "Content-Type: $content_type\r\n";
+ print "Content-Security-Policy: ",
+ "default-src 'none'; image-src 'self'; ",
+ "style-src 'self' 'unsafe-inline';\r\n";
}
if ($allow_compress && $maycompress) {
--
To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-11-07 22:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-07 22:58 cvsweb: For defense-in-depth against XSS attacks, add a schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).