From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from localhost (mandoc.bsd.lv [local])
	by mandoc.bsd.lv (OpenSMTPD) with ESMTPA id dffc0f68
	for <source@mandoc.bsd.lv>;
	Sat, 9 Nov 2019 05:18:39 -0500 (EST)
Date: Sat, 9 Nov 2019 05:18:39 -0500 (EST)
X-Mailinglist: mandoc-source
Reply-To: source@mandoc.bsd.lv
MIME-Version: 1.0
From: schwarze@mandoc.bsd.lv
To: source@mandoc.bsd.lv
Subject: cvsweb: similar to revisions 3.119.2.23 and 3.119.2.24: For 
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8
Message-ID: <8d076921ed710290@mandoc.bsd.lv>

Log Message:
-----------
similar to revisions 3.119.2.23 and 3.119.2.24:
For defense-in-depth against XSS attacks, add a Content-Security-Policy
Response header as a second layer mitigation.  Basic idea suggested
by sthen@.

Modified Files:
--------------
    cvsweb:
        cvsweb.cgi

Revision Data
-------------
Index: cvsweb.cgi
===================================================================
RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v
retrieving revision 4.9
retrieving revision 4.10
diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r4.9 -r4.10
--- cvsweb.cgi
+++ cvsweb.cgi
@@ -4242,6 +4242,8 @@ sub http_header(;$$)
   push(@headers, 'Last-Modified: ' . scalar gmtime($moddate) . ' GMT')
     if $moddate;
   push(@headers, 'Content-Type: ' . $content_type);
+  push(@headers, "Content-Security-Policy: default-src 'none'; " .
+    "img-src 'self'; style-src 'unsafe-inline'");
 
   if ($allow_compress && $maycompress) {
     if (HAS_ZLIB
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv