Content-Security-Policy for man.cgi

Content-Security-Policy for man.cgi

[Anthony J. Bentley]

Hi,

Modern browsers respect the Content-Security-Policy header, which
restricts where dynamic resources like CSS and JavaScript can be
specified in an HTML document.

Since man.openbsd.org hosts manuals from many sources, and there's
always danger of a bug in mandoc that allows dangerous HTML content
through, a policy of "default-src 'none'; style-src 'self'" would be
appropriate: this allows external stylesheets loaded from a URL on
the same domain, but prohibits external links and inline CSS; scripts
are not allowed at all. (mandoc(1) no longer generates inline styles
at all, right?)

Index: cgi.c
===================================================================
RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v
retrieving revision 1.106
diff -u -p -r1.106 cgi.c
--- cgi.c	1 Oct 2019 17:54:04 -0000	1.106
+++ cgi.c	10 Nov 2019 08:48:46 -0000
@@ -336,6 +336,7 @@ resp_begin_http(int code, const char *ms
 
 	printf("Content-Type: text/html; charset=utf-8\r\n"
 	     "Cache-Control: no-cache\r\n"
+	     "Content-Security-Policy: default-src 'none'; style-src 'self';\r\n"
 	     "Pragma: no-cache\r\n"
 	     "\r\n");
 
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

Re: Content-Security-Policy for man.cgi

[Ingo Schwarze]

Hi Anthony,

Anthony J. Bentley wrote on Sun, Nov 10, 2019 at 01:59:21AM -0700:

> Modern browsers respect the Content-Security-Policy header,
> which restricts where dynamic resources like CSS and JavaScript
> can be specified in an HTML document.

I tried to read the standard https://www.w3.org/TR/CSP/
but miserably failed to understand anything because there
is so much indirection: "to do what <other standard> defines
in section 1.17.42.0 to the objects <yet another standard>
defines in section 4.3.2.1, use the methods described in
<some fourth standard> in section 36932451927, but only unless
the conditions explained in sections 666.0b and <aaah!>
apply."  And when you follow the pointers, you only find
more indirections to yet more places...  :-[

Do you know a place where that stuff is explained in a more
accessible reference-manual style?

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
turned out to be the other extreme: so imprecise and so much
handwaving that i didn't really understand it either.


> Since man.openbsd.org hosts manuals from many sources, and there's
> always danger of a bug in mandoc that allows dangerous HTML content
> through, a policy of "default-src 'none'; style-src 'self'" would be
> appropriate: this allows external stylesheets loaded from a URL on
> the same domain, but prohibits external links

You mean, prohibits embedding content (not sure whether that is the
correct term) from other sites?  Linking *to* other sites still
appears to be permitted...


> and inline CSS;

I do understand why inline CSS is bad style and can harm accessibility
and prevent formatting that is well adapted to the currently used
browsing device - but i fail to understand why a *security*
policy would worry about inline CSS.  Isn't "inline" by definition
the most secure source of content conceivable?


> scripts are not allowed at all. (mandoc(1) no longer generates
> inline styles at all, right?)

In a very small number of places, it still does:

mdoc_html.c, mdoc_it_pre(), LIST_tag, ROFFT_BODY:
	print_otag(h, TAG_DD, "s", "width", "auto");
	<dd style="width: auto">

mdoc_html.c, mdoc_fn_pre():
	print_otag(h, TAG_VAR, "cs", "Fa", "white-space", "nowrap");
	<var class=Fa" style="white-space: nowrap">

tbl_html.c, html_tblopen():
	h->tblt = print_otag(h, TAG_TABLE, "c?ss", "tbl", ...
	<tbl class="tbl" border=1
             style="border-style: solid; border-top-style: double">

tbl_html.c, print_tbl():
	print_otag(h, TAG_TR, "ss",
            "border-left-style", lborder,
            "border-bottom-style", bborder);
	<tr style="border-left-style: solid; border-bottom-style: double">

tbl_html.c, print_tbl():
	print_otag(h, TAG_TD, "??sss", ...
	<td colspan=3 rowspan=2 style="vertical-align: top; text-align;
            center; border-right-style: solid">


> Index: cgi.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v
> retrieving revision 1.106
> diff -u -p -r1.106 cgi.c
> --- cgi.c	1 Oct 2019 17:54:04 -0000	1.106
> +++ cgi.c	10 Nov 2019 08:48:46 -0000
> @@ -336,6 +336,7 @@ resp_begin_http(int code, const char *ms
>  
>  	printf("Content-Type: text/html; charset=utf-8\r\n"
>  	     "Cache-Control: no-cache\r\n"
> +	     "Content-Security-Policy: default-src 'none'; style-src 'self';\r\n"

So would it have to be?:

	"Content-Security-Policy: default-src 'none'; "
	"style-src 'self' 'unsafe-inline'\r\n"

I think the semicolon in "'self';\r\n" isn't needed, right?

>  	     "Pragma: no-cache\r\n"
>  	     "\r\n");

By the way, could you check whether the CSP in

  https://mandoc.bsd.lv/cgi-bin/cvsweb/cvsweb.cgi?cvsroot=cvsweb#rev4.10

makes any sense?

Thanks,
  Ingo
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

Re: Content-Security-Policy for man.cgi

[Anthony J. Bentley]

Hi Ingo,

Ingo Schwarze writes:
> I tried to read the standard https://www.w3.org/TR/CSP/
> but miserably failed to understand anything because there
> is so much indirection: "to do what <other standard> defines
> in section 1.17.42.0 to the objects <yet another standard>
> defines in section 4.3.2.1, use the methods described in
> <some fourth standard> in section 36932451927, but only unless
> the conditions explained in sections 666.0b and <aaah!>
> apply."  And when you follow the pointers, you only find
> more indirections to yet more places...  :-[

Hm, I guess I'm just used to reading W3C standards at this point.

> Do you know a place where that stuff is explained in a more
> accessible reference-manual style?

https://content-security-policy.com/ perhaps?

> > Since man.openbsd.org hosts manuals from many sources, and there's
> > always danger of a bug in mandoc that allows dangerous HTML content
> > through, a policy of "default-src 'none'; style-src 'self'" would be
> > appropriate: this allows external stylesheets loaded from a URL on
> > the same domain, but prohibits external links
>
> You mean, prohibits embedding content (not sure whether that is the
> correct term) from other sites?  Linking *to* other sites still
> appears to be permitted...

Sorry, that was jargon. I was referring to link elements here (as in:
"<link rel=stylesheet href=http://some.other.example.com/...>").

> > and inline CSS;
>
> I do understand why inline CSS is bad style and can harm accessibility
> and prevent formatting that is well adapted to the currently used
> browsing device - but i fail to understand why a *security*
> policy would worry about inline CSS.  Isn't "inline" by definition
> the most secure source of content conceivable?

In short, because modern CSS is so featureful that it is a vector for
XSS as much as JavaScript. I don't have any examples off the top of my
head but I'm sure that's not such an unbelievable statement.

> > scripts are not allowed at all. (mandoc(1) no longer generates
> > inline styles at all, right?)
>
> In a very small number of places, it still does:
>
> mdoc_html.c, mdoc_it_pre(), LIST_tag, ROFFT_BODY:
> 	print_otag(h, TAG_DD, "s", "width", "auto");
> 	<dd style="width: auto">
>
> mdoc_html.c, mdoc_fn_pre():
> 	print_otag(h, TAG_VAR, "cs", "Fa", "white-space", "nowrap");
> 	<var class=Fa" style="white-space: nowrap">
>
> tbl_html.c, html_tblopen():
> 	h->tblt = print_otag(h, TAG_TABLE, "c?ss", "tbl", ...
> 	<tbl class="tbl" border=1
>              style="border-style: solid; border-top-style: double">
>
> tbl_html.c, print_tbl():
> 	print_otag(h, TAG_TR, "ss",
>             "border-left-style", lborder,
>             "border-bottom-style", bborder);
> 	<tr style="border-left-style: solid; border-bottom-style: double">
>
> tbl_html.c, print_tbl():
> 	print_otag(h, TAG_TD, "??sss", ...
> 	<td colspan=3 rowspan=2 style="vertical-align: top; text-align;
>             center; border-right-style: solid">

It might be worth replacing these with stylesheet references for the
sake of having a CSP strict enough to prevent malicious inline CSS in
the manual body. But if not, we'll have to broaden the policy. Even a
broad CSS policy is better because we still completely block JavaScript.

> I think the semicolon in "'self';\r\n" isn't needed, right?

It isn't needed.

> By the way, could you check whether the CSP in
>
>   https://mandoc.bsd.lv/cgi-bin/cvsweb/cvsweb.cgi?cvsroot=cvsweb#rev4.10
>
> makes any sense?

Seems conceptually fine, though again "style-src 'self'" is strictly
better than "style-src 'unsafe-inline'" (but CVSWeb is not really
designed for that). You'll notice that in the log you linked, images
are blocked because they're from cvsweb.bsd.lv, not mandoc.bsd.lv, and
don't count as 'self'.

-- 
Anthony J. Bentley
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

Re: Content-Security-Policy for man.cgi

[Ingo Schwarze]

Hi Anthony,

Anthony J. Bentley wrote on Sun, Nov 10, 2019 at 06:02:49AM -0700:
> Ingo Schwarze writes:

>> Do you know a place where that stuff is explained in a more
>> accessible reference-manual style?

> https://content-security-policy.com/ perhaps?

Thanks, i think now i have a partial understanding of what it does.

>>> Since man.openbsd.org hosts manuals from many sources, and there's
>>> always danger of a bug in mandoc that allows dangerous HTML content
>>> through, a policy of "default-src 'none'; style-src 'self'" would be
>>> appropriate: this allows external stylesheets loaded from a URL on
>>> the same domain, but prohibits external links

>> You mean, prohibits embedding content (not sure whether that is the
>> correct term) from other sites?  Linking *to* other sites still
>> appears to be permitted...

> Sorry, that was jargon. I was referring to link elements here (as in:
> "<link rel=stylesheet href=http://some.other.example.com/...>").

Oh, <link>...  I see.

>> I do understand why inline CSS is bad style and can harm accessibility
>> and prevent formatting that is well adapted to the currently used
>> browsing device - but i fail to understand why a *security*
>> policy would worry about inline CSS.  Isn't "inline" by definition
>> the most secure source of content conceivable?

> In short, because modern CSS is so featureful that it is a vector for
> XSS as much as JavaScript. I don't have any examples off the top of my
> head but I'm sure that's not such an unbelievable statement.

The idea didn't occur to me, but now that you say it, it does
sound plausible.

>>> scripts are not allowed at all. (mandoc(1) no longer generates
>>> inline styles at all, right?)

>> In a very small number of places, it still does:

> It might be worth replacing these with stylesheet references for the
> sake of having a CSP strict enough to prevent malicious inline CSS in
> the manual body. But if not, we'll have to broaden the policy. Even a
> broad CSS policy is better because we still completely block JavaScript.

I think completely getting rid of style= isn't that hard, but i won't
work too much on mandoc during a ports hackathon - so i have taken
a TODO note for now (see below).

>> By the way, could you check whether the CSP in
>>
>>   https://mandoc.bsd.lv/cgi-bin/cvsweb/cvsweb.cgi?cvsroot=cvsweb#rev4.10
>>
>> makes any sense?

> Seems conceptually fine, though again "style-src 'self'" is strictly
> better than "style-src 'unsafe-inline'" (but CVSWeb is not really
> designed for that).

Eventually, it might be useful to clean up that aspect of cvsweb,
just like many other aspects need cleaning up.  But that one seems
relatively far away indeed.

> You'll notice that in the log you linked, images are blocked because
> they're from cvsweb.bsd.lv, not mandoc.bsd.lv,

Oops.  That was unintentional.  Ultimately, i hope to move all of
cvsweb.bsd.lv (including the running CGI) to cvsweb.bsd.lv, but
that still requires some preparations.

> and don't count as 'self'.

Fixed with the appropriate httpd.conf(5) rules for now,
thanks for the report.

Yours,
  Ingo


Log Message:
-----------
want to get rid of the last style= attributes, suggested by bentley@

Modified Files:
--------------
    mandoc:
        TODO

Revision Data
-------------
Index: TODO
===================================================================
RCS file: /home/cvs/mandoc/mandoc/TODO,v
retrieving revision 1.296
retrieving revision 1.297
diff -LTODO -LTODO -u -p -r1.296 -r1.297
--- TODO
+++ TODO
@@ -382,6 +382,11 @@ are mere guesses, and some may be wrong.
 
 --- HTML issues --------------------------------------------------------
 
+- get rid of the last handful of style= attributes such that
+  Content-Security-Policy: can be enabled without unsafe-inline
+  suggested by bentley@  Nov 10, 2019 at 06:02:49AM -0700
+  loc *  exist *  algo *  size *  imp **
+
 - .Bf at the beginning of a paragraph inserts a bogus 1ex horizontal
   space, see for example random(3).  Introduced in
   http://mdocml.bsd.lv/cgi-bin/cvsweb/mdoc_html.c.diff?r1=1.91&r2=1.92
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

Re: Content-Security-Policy for man.cgi

[Anthony J. Bentley]

Hi Ingo,

Ingo Schwarze writes:
> > It might be worth replacing these with stylesheet references for the
> > sake of having a CSP strict enough to prevent malicious inline CSS in
> > the manual body. But if not, we'll have to broaden the policy. Even a
> > broad CSS policy is better because we still completely block JavaScript.
>
> I think completely getting rid of style= isn't that hard, but i won't
> work too much on mandoc during a ports hackathon - so i have taken
> a TODO note for now (see below).

Then here's the new diff. (I removed the space after the semicolon
as it's optional.)


Index: cgi.c
===================================================================
RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v
retrieving revision 1.106
diff -u -p -r1.106 cgi.c
--- cgi.c	1 Oct 2019 17:54:04 -0000	1.106
+++ cgi.c	10 Nov 2019 20:07:39 -0000
@@ -336,6 +336,8 @@ resp_begin_http(int code, const char *ms
 
 	printf("Content-Type: text/html; charset=utf-8\r\n"
 	     "Cache-Control: no-cache\r\n"
+	     "Content-Security-Policy: default-src 'none';"
+	     "style-src 'self' 'unsafe-inline'\r\n"
 	     "Pragma: no-cache\r\n"
 	     "\r\n");
 
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

Re: Content-Security-Policy for man.cgi

[Ingo Schwarze]

Hi Anthony,

Anthony J. Bentley wrote on Sun, Nov 10, 2019 at 01:09:05PM -0700:
> Ingo Schwarze writes:

>> I think completely getting rid of style= isn't that hard, but i won't
>> work too much on mandoc during a ports hackathon - so i have taken
>> a TODO note for now (see below).

> Then here's the new diff.

I have installed that diff on man.openbsd.org for testing, and my
impression is that it works as intended.  Maybe you want to have a
look at what that server now does, too, and if you are also satisfied,
feel free to commit it.

It may be only a few weeks until i come round to the style= cleanup,
but why not make it better in the meantime.

> (I removed the space after the semicolon as it's optional.)

Actually (bikeshed), i'd prefer to have that space 'none'; "
because it makes the header easier to read for humans (even
though i admit not as many humans as browsers may be in the
habit of reading HTTP headers), and for symmetry with the
line just above (before "charset").

Yours,
  Ingo


> Index: cgi.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v
> retrieving revision 1.106
> diff -u -p -r1.106 cgi.c
> --- cgi.c	1 Oct 2019 17:54:04 -0000	1.106
> +++ cgi.c	10 Nov 2019 20:07:39 -0000
> @@ -336,6 +336,8 @@ resp_begin_http(int code, const char *ms
>  
>  	printf("Content-Type: text/html; charset=utf-8\r\n"
>  	     "Cache-Control: no-cache\r\n"
> +	     "Content-Security-Policy: default-src 'none';"
> +	     "style-src 'self' 'unsafe-inline'\r\n"
>  	     "Pragma: no-cache\r\n"
>  	     "\r\n");
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv