source@mandoc.bsd.lv
 help / color / Atom feed
* cvsweb: similar to revisions 3.119.2.23 and 3.119.2.24: For 
@ 2019-11-09 10:18 schwarze
  0 siblings, 0 replies; only message in thread
From: schwarze @ 2019-11-09 10:18 UTC (permalink / raw)
  To: source

Log Message:
-----------
similar to revisions 3.119.2.23 and 3.119.2.24:
For defense-in-depth against XSS attacks, add a Content-Security-Policy
Response header as a second layer mitigation.  Basic idea suggested
by sthen@.

Modified Files:
--------------
    cvsweb:
        cvsweb.cgi

Revision Data
-------------
Index: cvsweb.cgi
===================================================================
RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v
retrieving revision 4.9
retrieving revision 4.10
diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r4.9 -r4.10
--- cvsweb.cgi
+++ cvsweb.cgi
@@ -4242,6 +4242,8 @@ sub http_header(;$$)
   push(@headers, 'Last-Modified: ' . scalar gmtime($moddate) . ' GMT')
     if $moddate;
   push(@headers, 'Content-Type: ' . $content_type);
+  push(@headers, "Content-Security-Policy: default-src 'none'; " .
+    "img-src 'self'; style-src 'unsafe-inline'");
 
   if ($allow_compress && $maycompress) {
     if (HAS_ZLIB
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-09 10:18 cvsweb: similar to revisions 3.119.2.23 and 3.119.2.24: For schwarze

source@mandoc.bsd.lv

Archives are clonable: git clone --mirror http://inbox.vuxu.org/mandoc-source

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.mandoc.source


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git