* mandoc: Add a Content-Security-Policy HTTP header that allows only CSS.
@ 2019-11-10 22:35 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2019-11-10 22:35 UTC (permalink / raw)
To: source
Log Message:
-----------
Add a Content-Security-Policy HTTP header that allows only CSS.
This ensures that in a modern browser that understands the header,
mandoc rendering bugs cannot possibly be interpreted as JavaScript.
Patch from bentley@.
Modified Files:
--------------
mandoc:
cgi.c
Revision Data
-------------
Index: cgi.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/cgi.c,v
retrieving revision 1.168
retrieving revision 1.169
diff -Lcgi.c -Lcgi.c -u -p -r1.168 -r1.169
--- cgi.c
+++ cgi.c
@@ -340,6 +340,8 @@ resp_begin_http(int code, const char *ms
printf("Content-Type: text/html; charset=utf-8\r\n"
"Cache-Control: no-cache\r\n"
+ "Content-Security-Policy: default-src 'none'; "
+ "style-src 'self' 'unsafe-inline'\r\n"
"Pragma: no-cache\r\n"
"\r\n");
--
To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-11-10 22:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-10 22:35 mandoc: Add a Content-Security-Policy HTTP header that allows only CSS schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).