* Content-Security-Policy for man.cgi @ 2019-11-10 8:59 Anthony J. Bentley 2019-11-10 10:22 ` Ingo Schwarze 0 siblings, 1 reply; 6+ messages in thread From: Anthony J. Bentley @ 2019-11-10 8:59 UTC (permalink / raw) To: tech; +Cc: schwarze Hi, Modern browsers respect the Content-Security-Policy header, which restricts where dynamic resources like CSS and JavaScript can be specified in an HTML document. Since man.openbsd.org hosts manuals from many sources, and there's always danger of a bug in mandoc that allows dangerous HTML content through, a policy of "default-src 'none'; style-src 'self'" would be appropriate: this allows external stylesheets loaded from a URL on the same domain, but prohibits external links and inline CSS; scripts are not allowed at all. (mandoc(1) no longer generates inline styles at all, right?) Index: cgi.c =================================================================== RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v retrieving revision 1.106 diff -u -p -r1.106 cgi.c --- cgi.c 1 Oct 2019 17:54:04 -0000 1.106 +++ cgi.c 10 Nov 2019 08:48:46 -0000 @@ -336,6 +336,7 @@ resp_begin_http(int code, const char *ms printf("Content-Type: text/html; charset=utf-8\r\n" "Cache-Control: no-cache\r\n" + "Content-Security-Policy: default-src 'none'; style-src 'self';\r\n" "Pragma: no-cache\r\n" "\r\n"); -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Content-Security-Policy for man.cgi 2019-11-10 8:59 Content-Security-Policy for man.cgi Anthony J. Bentley @ 2019-11-10 10:22 ` Ingo Schwarze 2019-11-10 13:02 ` Anthony J. Bentley 0 siblings, 1 reply; 6+ messages in thread From: Ingo Schwarze @ 2019-11-10 10:22 UTC (permalink / raw) To: Anthony J. Bentley; +Cc: tech Hi Anthony, Anthony J. Bentley wrote on Sun, Nov 10, 2019 at 01:59:21AM -0700: > Modern browsers respect the Content-Security-Policy header, > which restricts where dynamic resources like CSS and JavaScript > can be specified in an HTML document. I tried to read the standard https://www.w3.org/TR/CSP/ but miserably failed to understand anything because there is so much indirection: "to do what <other standard> defines in section 1.17.42.0 to the objects <yet another standard> defines in section 4.3.2.1, use the methods described in <some fourth standard> in section 36932451927, but only unless the conditions explained in sections 666.0b and <aaah!> apply." And when you follow the pointers, you only find more indirections to yet more places... :-[ Do you know a place where that stuff is explained in a more accessible reference-manual style? https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP turned out to be the other extreme: so imprecise and so much handwaving that i didn't really understand it either. > Since man.openbsd.org hosts manuals from many sources, and there's > always danger of a bug in mandoc that allows dangerous HTML content > through, a policy of "default-src 'none'; style-src 'self'" would be > appropriate: this allows external stylesheets loaded from a URL on > the same domain, but prohibits external links You mean, prohibits embedding content (not sure whether that is the correct term) from other sites? Linking *to* other sites still appears to be permitted... > and inline CSS; I do understand why inline CSS is bad style and can harm accessibility and prevent formatting that is well adapted to the currently used browsing device - but i fail to understand why a *security* policy would worry about inline CSS. Isn't "inline" by definition the most secure source of content conceivable? > scripts are not allowed at all. (mandoc(1) no longer generates > inline styles at all, right?) In a very small number of places, it still does: mdoc_html.c, mdoc_it_pre(), LIST_tag, ROFFT_BODY: print_otag(h, TAG_DD, "s", "width", "auto"); <dd style="width: auto"> mdoc_html.c, mdoc_fn_pre(): print_otag(h, TAG_VAR, "cs", "Fa", "white-space", "nowrap"); <var class=Fa" style="white-space: nowrap"> tbl_html.c, html_tblopen(): h->tblt = print_otag(h, TAG_TABLE, "c?ss", "tbl", ... <tbl class="tbl" border=1 style="border-style: solid; border-top-style: double"> tbl_html.c, print_tbl(): print_otag(h, TAG_TR, "ss", "border-left-style", lborder, "border-bottom-style", bborder); <tr style="border-left-style: solid; border-bottom-style: double"> tbl_html.c, print_tbl(): print_otag(h, TAG_TD, "??sss", ... <td colspan=3 rowspan=2 style="vertical-align: top; text-align; center; border-right-style: solid"> > Index: cgi.c > =================================================================== > RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v > retrieving revision 1.106 > diff -u -p -r1.106 cgi.c > --- cgi.c 1 Oct 2019 17:54:04 -0000 1.106 > +++ cgi.c 10 Nov 2019 08:48:46 -0000 > @@ -336,6 +336,7 @@ resp_begin_http(int code, const char *ms > > printf("Content-Type: text/html; charset=utf-8\r\n" > "Cache-Control: no-cache\r\n" > + "Content-Security-Policy: default-src 'none'; style-src 'self';\r\n" So would it have to be?: "Content-Security-Policy: default-src 'none'; " "style-src 'self' 'unsafe-inline'\r\n" I think the semicolon in "'self';\r\n" isn't needed, right? > "Pragma: no-cache\r\n" > "\r\n"); By the way, could you check whether the CSP in https://mandoc.bsd.lv/cgi-bin/cvsweb/cvsweb.cgi?cvsroot=cvsweb#rev4.10 makes any sense? Thanks, Ingo -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Content-Security-Policy for man.cgi 2019-11-10 10:22 ` Ingo Schwarze @ 2019-11-10 13:02 ` Anthony J. Bentley 2019-11-10 17:47 ` Ingo Schwarze 0 siblings, 1 reply; 6+ messages in thread From: Anthony J. Bentley @ 2019-11-10 13:02 UTC (permalink / raw) To: Ingo Schwarze; +Cc: tech Hi Ingo, Ingo Schwarze writes: > I tried to read the standard https://www.w3.org/TR/CSP/ > but miserably failed to understand anything because there > is so much indirection: "to do what <other standard> defines > in section 1.17.42.0 to the objects <yet another standard> > defines in section 4.3.2.1, use the methods described in > <some fourth standard> in section 36932451927, but only unless > the conditions explained in sections 666.0b and <aaah!> > apply." And when you follow the pointers, you only find > more indirections to yet more places... :-[ Hm, I guess I'm just used to reading W3C standards at this point. > Do you know a place where that stuff is explained in a more > accessible reference-manual style? https://content-security-policy.com/ perhaps? > > Since man.openbsd.org hosts manuals from many sources, and there's > > always danger of a bug in mandoc that allows dangerous HTML content > > through, a policy of "default-src 'none'; style-src 'self'" would be > > appropriate: this allows external stylesheets loaded from a URL on > > the same domain, but prohibits external links > > You mean, prohibits embedding content (not sure whether that is the > correct term) from other sites? Linking *to* other sites still > appears to be permitted... Sorry, that was jargon. I was referring to link elements here (as in: "<link rel=stylesheet href=http://some.other.example.com/...>"). > > and inline CSS; > > I do understand why inline CSS is bad style and can harm accessibility > and prevent formatting that is well adapted to the currently used > browsing device - but i fail to understand why a *security* > policy would worry about inline CSS. Isn't "inline" by definition > the most secure source of content conceivable? In short, because modern CSS is so featureful that it is a vector for XSS as much as JavaScript. I don't have any examples off the top of my head but I'm sure that's not such an unbelievable statement. > > scripts are not allowed at all. (mandoc(1) no longer generates > > inline styles at all, right?) > > In a very small number of places, it still does: > > mdoc_html.c, mdoc_it_pre(), LIST_tag, ROFFT_BODY: > print_otag(h, TAG_DD, "s", "width", "auto"); > <dd style="width: auto"> > > mdoc_html.c, mdoc_fn_pre(): > print_otag(h, TAG_VAR, "cs", "Fa", "white-space", "nowrap"); > <var class=Fa" style="white-space: nowrap"> > > tbl_html.c, html_tblopen(): > h->tblt = print_otag(h, TAG_TABLE, "c?ss", "tbl", ... > <tbl class="tbl" border=1 > style="border-style: solid; border-top-style: double"> > > tbl_html.c, print_tbl(): > print_otag(h, TAG_TR, "ss", > "border-left-style", lborder, > "border-bottom-style", bborder); > <tr style="border-left-style: solid; border-bottom-style: double"> > > tbl_html.c, print_tbl(): > print_otag(h, TAG_TD, "??sss", ... > <td colspan=3 rowspan=2 style="vertical-align: top; text-align; > center; border-right-style: solid"> It might be worth replacing these with stylesheet references for the sake of having a CSP strict enough to prevent malicious inline CSS in the manual body. But if not, we'll have to broaden the policy. Even a broad CSS policy is better because we still completely block JavaScript. > I think the semicolon in "'self';\r\n" isn't needed, right? It isn't needed. > By the way, could you check whether the CSP in > > https://mandoc.bsd.lv/cgi-bin/cvsweb/cvsweb.cgi?cvsroot=cvsweb#rev4.10 > > makes any sense? Seems conceptually fine, though again "style-src 'self'" is strictly better than "style-src 'unsafe-inline'" (but CVSWeb is not really designed for that). You'll notice that in the log you linked, images are blocked because they're from cvsweb.bsd.lv, not mandoc.bsd.lv, and don't count as 'self'. -- Anthony J. Bentley -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Content-Security-Policy for man.cgi 2019-11-10 13:02 ` Anthony J. Bentley @ 2019-11-10 17:47 ` Ingo Schwarze 2019-11-10 20:09 ` Anthony J. Bentley 0 siblings, 1 reply; 6+ messages in thread From: Ingo Schwarze @ 2019-11-10 17:47 UTC (permalink / raw) To: Anthony J. Bentley; +Cc: tech Hi Anthony, Anthony J. Bentley wrote on Sun, Nov 10, 2019 at 06:02:49AM -0700: > Ingo Schwarze writes: >> Do you know a place where that stuff is explained in a more >> accessible reference-manual style? > https://content-security-policy.com/ perhaps? Thanks, i think now i have a partial understanding of what it does. >>> Since man.openbsd.org hosts manuals from many sources, and there's >>> always danger of a bug in mandoc that allows dangerous HTML content >>> through, a policy of "default-src 'none'; style-src 'self'" would be >>> appropriate: this allows external stylesheets loaded from a URL on >>> the same domain, but prohibits external links >> You mean, prohibits embedding content (not sure whether that is the >> correct term) from other sites? Linking *to* other sites still >> appears to be permitted... > Sorry, that was jargon. I was referring to link elements here (as in: > "<link rel=stylesheet href=http://some.other.example.com/...>"). Oh, <link>... I see. >> I do understand why inline CSS is bad style and can harm accessibility >> and prevent formatting that is well adapted to the currently used >> browsing device - but i fail to understand why a *security* >> policy would worry about inline CSS. Isn't "inline" by definition >> the most secure source of content conceivable? > In short, because modern CSS is so featureful that it is a vector for > XSS as much as JavaScript. I don't have any examples off the top of my > head but I'm sure that's not such an unbelievable statement. The idea didn't occur to me, but now that you say it, it does sound plausible. >>> scripts are not allowed at all. (mandoc(1) no longer generates >>> inline styles at all, right?) >> In a very small number of places, it still does: > It might be worth replacing these with stylesheet references for the > sake of having a CSP strict enough to prevent malicious inline CSS in > the manual body. But if not, we'll have to broaden the policy. Even a > broad CSS policy is better because we still completely block JavaScript. I think completely getting rid of style= isn't that hard, but i won't work too much on mandoc during a ports hackathon - so i have taken a TODO note for now (see below). >> By the way, could you check whether the CSP in >> >> https://mandoc.bsd.lv/cgi-bin/cvsweb/cvsweb.cgi?cvsroot=cvsweb#rev4.10 >> >> makes any sense? > Seems conceptually fine, though again "style-src 'self'" is strictly > better than "style-src 'unsafe-inline'" (but CVSWeb is not really > designed for that). Eventually, it might be useful to clean up that aspect of cvsweb, just like many other aspects need cleaning up. But that one seems relatively far away indeed. > You'll notice that in the log you linked, images are blocked because > they're from cvsweb.bsd.lv, not mandoc.bsd.lv, Oops. That was unintentional. Ultimately, i hope to move all of cvsweb.bsd.lv (including the running CGI) to cvsweb.bsd.lv, but that still requires some preparations. > and don't count as 'self'. Fixed with the appropriate httpd.conf(5) rules for now, thanks for the report. Yours, Ingo Log Message: ----------- want to get rid of the last style= attributes, suggested by bentley@ Modified Files: -------------- mandoc: TODO Revision Data ------------- Index: TODO =================================================================== RCS file: /home/cvs/mandoc/mandoc/TODO,v retrieving revision 1.296 retrieving revision 1.297 diff -LTODO -LTODO -u -p -r1.296 -r1.297 --- TODO +++ TODO @@ -382,6 +382,11 @@ are mere guesses, and some may be wrong. --- HTML issues -------------------------------------------------------- +- get rid of the last handful of style= attributes such that + Content-Security-Policy: can be enabled without unsafe-inline + suggested by bentley@ Nov 10, 2019 at 06:02:49AM -0700 + loc * exist * algo * size * imp ** + - .Bf at the beginning of a paragraph inserts a bogus 1ex horizontal space, see for example random(3). Introduced in http://mdocml.bsd.lv/cgi-bin/cvsweb/mdoc_html.c.diff?r1=1.91&r2=1.92 -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Content-Security-Policy for man.cgi 2019-11-10 17:47 ` Ingo Schwarze @ 2019-11-10 20:09 ` Anthony J. Bentley 2019-11-10 20:57 ` Ingo Schwarze 0 siblings, 1 reply; 6+ messages in thread From: Anthony J. Bentley @ 2019-11-10 20:09 UTC (permalink / raw) To: Ingo Schwarze; +Cc: tech Hi Ingo, Ingo Schwarze writes: > > It might be worth replacing these with stylesheet references for the > > sake of having a CSP strict enough to prevent malicious inline CSS in > > the manual body. But if not, we'll have to broaden the policy. Even a > > broad CSS policy is better because we still completely block JavaScript. > > I think completely getting rid of style= isn't that hard, but i won't > work too much on mandoc during a ports hackathon - so i have taken > a TODO note for now (see below). Then here's the new diff. (I removed the space after the semicolon as it's optional.) Index: cgi.c =================================================================== RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v retrieving revision 1.106 diff -u -p -r1.106 cgi.c --- cgi.c 1 Oct 2019 17:54:04 -0000 1.106 +++ cgi.c 10 Nov 2019 20:07:39 -0000 @@ -336,6 +336,8 @@ resp_begin_http(int code, const char *ms printf("Content-Type: text/html; charset=utf-8\r\n" "Cache-Control: no-cache\r\n" + "Content-Security-Policy: default-src 'none';" + "style-src 'self' 'unsafe-inline'\r\n" "Pragma: no-cache\r\n" "\r\n"); -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Content-Security-Policy for man.cgi 2019-11-10 20:09 ` Anthony J. Bentley @ 2019-11-10 20:57 ` Ingo Schwarze 0 siblings, 0 replies; 6+ messages in thread From: Ingo Schwarze @ 2019-11-10 20:57 UTC (permalink / raw) To: Anthony J. Bentley; +Cc: tech Hi Anthony, Anthony J. Bentley wrote on Sun, Nov 10, 2019 at 01:09:05PM -0700: > Ingo Schwarze writes: >> I think completely getting rid of style= isn't that hard, but i won't >> work too much on mandoc during a ports hackathon - so i have taken >> a TODO note for now (see below). > Then here's the new diff. I have installed that diff on man.openbsd.org for testing, and my impression is that it works as intended. Maybe you want to have a look at what that server now does, too, and if you are also satisfied, feel free to commit it. It may be only a few weeks until i come round to the style= cleanup, but why not make it better in the meantime. > (I removed the space after the semicolon as it's optional.) Actually (bikeshed), i'd prefer to have that space 'none'; " because it makes the header easier to read for humans (even though i admit not as many humans as browsers may be in the habit of reading HTTP headers), and for symmetry with the line just above (before "charset"). Yours, Ingo > Index: cgi.c > =================================================================== > RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v > retrieving revision 1.106 > diff -u -p -r1.106 cgi.c > --- cgi.c 1 Oct 2019 17:54:04 -0000 1.106 > +++ cgi.c 10 Nov 2019 20:07:39 -0000 > @@ -336,6 +336,8 @@ resp_begin_http(int code, const char *ms > > printf("Content-Type: text/html; charset=utf-8\r\n" > "Cache-Control: no-cache\r\n" > + "Content-Security-Policy: default-src 'none';" > + "style-src 'self' 'unsafe-inline'\r\n" > "Pragma: no-cache\r\n" > "\r\n"); -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-11-10 20:57 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-11-10 8:59 Content-Security-Policy for man.cgi Anthony J. Bentley 2019-11-10 10:22 ` Ingo Schwarze 2019-11-10 13:02 ` Anthony J. Bentley 2019-11-10 17:47 ` Ingo Schwarze 2019-11-10 20:09 ` Anthony J. Bentley 2019-11-10 20:57 ` Ingo Schwarze
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).