From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from localhost (mandoc.bsd.lv [local])
	by mandoc.bsd.lv (OpenSMTPD) with ESMTPA id debd9a47
	for <source@mandoc.bsd.lv>;
	Sun, 10 Nov 2019 17:35:55 -0500 (EST)
Date: Sun, 10 Nov 2019 17:35:55 -0500 (EST)
X-Mailinglist: mandoc-source
Reply-To: source@mandoc.bsd.lv
MIME-Version: 1.0
From: schwarze@mandoc.bsd.lv
To: source@mandoc.bsd.lv
Subject: mandoc: Add a Content-Security-Policy HTTP header that allows only CSS.
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8
Message-ID: <8d0770caef602ab1@mandoc.bsd.lv>

Log Message:
-----------
Add a Content-Security-Policy HTTP header that allows only CSS.
This ensures that in a modern browser that understands the header,
mandoc rendering bugs cannot possibly be interpreted as JavaScript.
Patch from bentley@.

Modified Files:
--------------
    mandoc:
        cgi.c

Revision Data
-------------
Index: cgi.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/cgi.c,v
retrieving revision 1.168
retrieving revision 1.169
diff -Lcgi.c -Lcgi.c -u -p -r1.168 -r1.169
--- cgi.c
+++ cgi.c
@@ -340,6 +340,8 @@ resp_begin_http(int code, const char *ms
 
 	printf("Content-Type: text/html; charset=utf-8\r\n"
 	     "Cache-Control: no-cache\r\n"
+	     "Content-Security-Policy: default-src 'none'; "
+	     "style-src 'self' 'unsafe-inline'\r\n"
 	     "Pragma: no-cache\r\n"
 	     "\r\n");
 
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv