source@mandoc.bsd.lv
 help / color / Atom feed
* mandoc: Add a Content-Security-Policy HTTP header that allows only CSS.
@ 2019-11-10 22:35 schwarze
  0 siblings, 0 replies; only message in thread
From: schwarze @ 2019-11-10 22:35 UTC (permalink / raw)
  To: source

Log Message:
-----------
Add a Content-Security-Policy HTTP header that allows only CSS.
This ensures that in a modern browser that understands the header,
mandoc rendering bugs cannot possibly be interpreted as JavaScript.
Patch from bentley@.

Modified Files:
--------------
    mandoc:
        cgi.c

Revision Data
-------------
Index: cgi.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/cgi.c,v
retrieving revision 1.168
retrieving revision 1.169
diff -Lcgi.c -Lcgi.c -u -p -r1.168 -r1.169
--- cgi.c
+++ cgi.c
@@ -340,6 +340,8 @@ resp_begin_http(int code, const char *ms
 
 	printf("Content-Type: text/html; charset=utf-8\r\n"
 	     "Cache-Control: no-cache\r\n"
+	     "Content-Security-Policy: default-src 'none'; "
+	     "style-src 'self' 'unsafe-inline'\r\n"
 	     "Pragma: no-cache\r\n"
 	     "\r\n");
 
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-10 22:35 mandoc: Add a Content-Security-Policy HTTP header that allows only CSS schwarze

source@mandoc.bsd.lv

Archives are clonable: git clone --mirror http://inbox.vuxu.org/mandoc-source

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.mandoc.source


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git