* cvsweb: similar to revisions 3.119.2.23 and 3.119.2.24: For
@ 2019-11-09 10:18 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2019-11-09 10:18 UTC (permalink / raw)
To: source
Log Message:
-----------
similar to revisions 3.119.2.23 and 3.119.2.24:
For defense-in-depth against XSS attacks, add a Content-Security-Policy
Response header as a second layer mitigation. Basic idea suggested
by sthen@.
Modified Files:
--------------
cvsweb:
cvsweb.cgi
Revision Data
-------------
Index: cvsweb.cgi
===================================================================
RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v
retrieving revision 4.9
retrieving revision 4.10
diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r4.9 -r4.10
--- cvsweb.cgi
+++ cvsweb.cgi
@@ -4242,6 +4242,8 @@ sub http_header(;$$)
push(@headers, 'Last-Modified: ' . scalar gmtime($moddate) . ' GMT')
if $moddate;
push(@headers, 'Content-Type: ' . $content_type);
+ push(@headers, "Content-Security-Policy: default-src 'none'; " .
+ "img-src 'self'; style-src 'unsafe-inline'");
if ($allow_compress && $maycompress) {
if (HAS_ZLIB
--
To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-11-09 10:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-09 10:18 cvsweb: similar to revisions 3.119.2.23 and 3.119.2.24: For schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).