From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mandoc.bsd.lv (OpenSMTPD) with ESMTP id 4a2aa9a2 for ; Sun, 10 Nov 2019 15:09:09 -0500 (EST) Received: by mail-pl1-f172.google.com with SMTP id d29so6813732plj.8 for ; Sun, 10 Nov 2019 12:09:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cathet-us.20150623.gappssmtp.com; s=20150623; h=sender:from:to:cc:subject:in-reply-to:references:comments :mime-version:content-id:date:message-id; bh=OrI0B7gjXUlpAEywS1u0v7Js9j6DuKZqvoGd0mU2awI=; b=EzdJq4mTJHr65XMC53O8jps9/yRckmU4l7kGb/jgsSN8fB1/X4pGIcwEV724HbfGS1 V+hBNXYBIenmXFDD5B8kFaMAdJYRThjJSKxkDpN37olce3DsMfzV8RJR3l1LI98LdCbf 23kTKZpgIZYqPQxXvprAj3LRsyq1HMG6O1Q4nM5httMF+UHxeOR/1/Zi89w4izyD1lrn ZRivIAggvdiKk33LExd4hYr3Zh89ZM6/DDB6n1vJQE+Q60SrvIl6b59Dyh6gSAp6xXHg 5eE9Zd7n0m3QXo3hzacB2XA/CfD62IJU/kSrwDGj1tj8j83hFrrECYeMyWZagrdpPThc 76gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:in-reply-to:references :comments:mime-version:content-id:date:message-id; bh=OrI0B7gjXUlpAEywS1u0v7Js9j6DuKZqvoGd0mU2awI=; b=uneChxS5db85YDYVPN6KUK7l9RVii+41775QR4qnDdvDeh6MzEeCKvo5b9ThPVwi18 Y1CHq1cLbfK6t/987R6ECUNPsToHOI5+dOVfidiyiUqWYZtupzqX5AAsFzrWpaCVoooZ 5geahel2krPBQkCelrVRPVqRX7wIjEq+SRzzDZcyeEb4MDB8t5yccx5js09WBMc3Xsfa mwnVcrkSU7ur3x5SN46pwIaSzXgAw6d6QyA9FoGcgvdqE6CHv/fJRtr6kFFcbdQaG4aZ O6/6g39TSb3dfk8iOCzwG5b7DKIZJdv88ZRVOAjwb/ofd+PXkUEtiANWBKZfew4Evft3 CVQg== X-Gm-Message-State: APjAAAUdVBarjXuTMFafaVITwLtzyHthJPIBamhdSTbm+ibYC9yy27Fl AIo+yhonSR9CuDqkljfz3rtqCQ== X-Google-Smtp-Source: APXvYqwcvvvHNJfCy0wngIyZAwebHicp2hNjv05BhJXdwWftwbaYRihTEgj8ubYZ6BVKzvXLCmUNYA== X-Received: by 2002:a17:902:9897:: with SMTP id s23mr22777559plp.189.1573416547923; Sun, 10 Nov 2019 12:09:07 -0800 (PST) Received: from desktop.ajb.soy (174-28-243-81.albq.qwest.net. [174.28.243.81]) by smtp.gmail.com with ESMTPSA id z63sm11190381pgb.75.2019.11.10.12.09.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 10 Nov 2019 12:09:07 -0800 (PST) Sender: "Anthony J. Bentley" Received: from desktop.ajb.soy (localhost [127.0.0.1]) by desktop.ajb.soy (OpenSMTPD) with ESMTP id 92aee84a; Sun, 10 Nov 2019 13:09:05 -0700 (MST) From: "Anthony J. Bentley" To: Ingo Schwarze cc: tech@mandoc.bsd.lv Subject: Re: Content-Security-Policy for man.cgi In-reply-to: <20191110174755.GA11024@athene.usta.de> References: <37020-1573376361.432557@hhtH.9ww_.rVWG> <20191110102234.GC53073@athene.usta.de> <74937-1573390969.518612@LNmC.KNpy.68m_> <20191110174755.GA11024@athene.usta.de> Comments: In-reply-to Ingo Schwarze message dated "Sun, 10 Nov 2019 18:47:55 +0100." X-Mailinglist: mandoc-tech Reply-To: tech@mandoc.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <55376.1573416545.1@desktop.ajb.soy> Date: Sun, 10 Nov 2019 13:09:05 -0700 Message-ID: <1076-1573416545.590100@piVC.Y-1h.zrhB> Hi Ingo, Ingo Schwarze writes: > > It might be worth replacing these with stylesheet references for the > > sake of having a CSP strict enough to prevent malicious inline CSS in > > the manual body. But if not, we'll have to broaden the policy. Even a > > broad CSS policy is better because we still completely block JavaScript. > > I think completely getting rid of style= isn't that hard, but i won't > work too much on mandoc during a ports hackathon - so i have taken > a TODO note for now (see below). Then here's the new diff. (I removed the space after the semicolon as it's optional.) Index: cgi.c =================================================================== RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v retrieving revision 1.106 diff -u -p -r1.106 cgi.c --- cgi.c 1 Oct 2019 17:54:04 -0000 1.106 +++ cgi.c 10 Nov 2019 20:07:39 -0000 @@ -336,6 +336,8 @@ resp_begin_http(int code, const char *ms printf("Content-Type: text/html; charset=utf-8\r\n" "Cache-Control: no-cache\r\n" + "Content-Security-Policy: default-src 'none';" + "style-src 'self' 'unsafe-inline'\r\n" "Pragma: no-cache\r\n" "\r\n"); -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv