From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from scc-mailout-kit-02.scc.kit.edu (scc-mailout-kit-02.scc.kit.edu [129.13.231.82]) by mandoc.bsd.lv (OpenSMTPD) with ESMTP id cbdb2a2f for ; Sun, 10 Nov 2019 05:22:38 -0500 (EST) Received: from hekate.asta.kit.edu ([141.3.145.153] helo=hekate.usta.de) by scc-mailout-kit-02.scc.kit.edu with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (envelope-from ) id 1iTkMe-0002Ve-Dq; Sun, 10 Nov 2019 11:22:37 +0100 Received: from donnerwolke.asta.kit.edu ([141.3.145.61] helo=donnerwolke.usta.de) by hekate.usta.de with esmtp (Exim 4.92.2) (envelope-from ) id 1iTkMc-00071P-Ss; Sun, 10 Nov 2019 11:22:34 +0100 Received: from athene.asta.kit.edu ([141.3.145.60] helo=athene.usta.de) by donnerwolke.usta.de with esmtp (Exim 4.84_2) (envelope-from ) id 1iTkMc-0002ta-M7; Sun, 10 Nov 2019 11:22:34 +0100 Received: from localhost (athene.usta.de [local]) by athene.usta.de (OpenSMTPD) with ESMTPA id 63b866a0; Sun, 10 Nov 2019 11:22:34 +0100 (CET) Date: Sun, 10 Nov 2019 11:22:34 +0100 From: Ingo Schwarze To: "Anthony J. Bentley" Cc: tech@mandoc.bsd.lv Subject: Re: Content-Security-Policy for man.cgi Message-ID: <20191110102234.GC53073@athene.usta.de> References: <37020-1573376361.432557@hhtH.9ww_.rVWG> X-Mailinglist: mandoc-tech Reply-To: tech@mandoc.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <37020-1573376361.432557@hhtH.9ww_.rVWG> User-Agent: Mutt/1.12.2 (2019-09-21) Hi Anthony, Anthony J. Bentley wrote on Sun, Nov 10, 2019 at 01:59:21AM -0700: > Modern browsers respect the Content-Security-Policy header, > which restricts where dynamic resources like CSS and JavaScript > can be specified in an HTML document. I tried to read the standard https://www.w3.org/TR/CSP/ but miserably failed to understand anything because there is so much indirection: "to do what defines in section 1.17.42.0 to the objects defines in section 4.3.2.1, use the methods described in in section 36932451927, but only unless the conditions explained in sections 666.0b and apply." And when you follow the pointers, you only find more indirections to yet more places... :-[ Do you know a place where that stuff is explained in a more accessible reference-manual style? https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP turned out to be the other extreme: so imprecise and so much handwaving that i didn't really understand it either. > Since man.openbsd.org hosts manuals from many sources, and there's > always danger of a bug in mandoc that allows dangerous HTML content > through, a policy of "default-src 'none'; style-src 'self'" would be > appropriate: this allows external stylesheets loaded from a URL on > the same domain, but prohibits external links You mean, prohibits embedding content (not sure whether that is the correct term) from other sites? Linking *to* other sites still appears to be permitted... > and inline CSS; I do understand why inline CSS is bad style and can harm accessibility and prevent formatting that is well adapted to the currently used browsing device - but i fail to understand why a *security* policy would worry about inline CSS. Isn't "inline" by definition the most secure source of content conceivable? > scripts are not allowed at all. (mandoc(1) no longer generates > inline styles at all, right?) In a very small number of places, it still does: mdoc_html.c, mdoc_it_pre(), LIST_tag, ROFFT_BODY: print_otag(h, TAG_DD, "s", "width", "auto");
mdoc_html.c, mdoc_fn_pre(): print_otag(h, TAG_VAR, "cs", "Fa", "white-space", "nowrap"); tbl_html.c, html_tblopen(): h->tblt = print_otag(h, TAG_TABLE, "c?ss", "tbl", ... tbl_html.c, print_tbl(): print_otag(h, TAG_TR, "ss", "border-left-style", lborder, "border-bottom-style", bborder); tbl_html.c, print_tbl(): print_otag(h, TAG_TD, "??sss", ... > Index: cgi.c > =================================================================== > RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v > retrieving revision 1.106 > diff -u -p -r1.106 cgi.c > --- cgi.c 1 Oct 2019 17:54:04 -0000 1.106 > +++ cgi.c 10 Nov 2019 08:48:46 -0000 > @@ -336,6 +336,7 @@ resp_begin_http(int code, const char *ms > > printf("Content-Type: text/html; charset=utf-8\r\n" > "Cache-Control: no-cache\r\n" > + "Content-Security-Policy: default-src 'none'; style-src 'self';\r\n" So would it have to be?: "Content-Security-Policy: default-src 'none'; " "style-src 'self' 'unsafe-inline'\r\n" I think the semicolon in "'self';\r\n" isn't needed, right? > "Pragma: no-cache\r\n" > "\r\n"); By the way, could you check whether the CSP in https://mandoc.bsd.lv/cgi-bin/cvsweb/cvsweb.cgi?cvsroot=cvsweb#rev4.10 makes any sense? Thanks, Ingo -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv