From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from scc-mailout-kit-01.scc.kit.edu (scc-mailout-kit-01.scc.kit.edu [129.13.231.81]) by mandoc.bsd.lv (OpenSMTPD) with ESMTP id 052715f9 for ; Sun, 10 Nov 2019 15:57:13 -0500 (EST) Received: from hekate.asta.kit.edu ([141.3.145.153] helo=hekate.usta.de) by scc-mailout-kit-01.scc.kit.edu with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (envelope-from ) id 1iTuGm-000211-7q; Sun, 10 Nov 2019 21:57:13 +0100 Received: from donnerwolke.asta.kit.edu ([141.3.145.61] helo=donnerwolke.usta.de) by hekate.usta.de with esmtp (Exim 4.92.2) (envelope-from ) id 1iTuGl-00089O-9c; Sun, 10 Nov 2019 21:57:11 +0100 Received: from athene.asta.kit.edu ([141.3.145.60] helo=athene.usta.de) by donnerwolke.usta.de with esmtp (Exim 4.84_2) (envelope-from ) id 1iTuGl-00059I-6g; Sun, 10 Nov 2019 21:57:11 +0100 Received: from localhost (athene.usta.de [local]) by athene.usta.de (OpenSMTPD) with ESMTPA id f31be400; Sun, 10 Nov 2019 21:57:11 +0100 (CET) Date: Sun, 10 Nov 2019 21:57:11 +0100 From: Ingo Schwarze To: "Anthony J. Bentley" Cc: tech@mandoc.bsd.lv Subject: Re: Content-Security-Policy for man.cgi Message-ID: <20191110205711.GJ11024@athene.usta.de> References: <37020-1573376361.432557@hhtH.9ww_.rVWG> <20191110102234.GC53073@athene.usta.de> <74937-1573390969.518612@LNmC.KNpy.68m_> <20191110174755.GA11024@athene.usta.de> <1076-1573416545.590100@piVC.Y-1h.zrhB> X-Mailinglist: mandoc-tech Reply-To: tech@mandoc.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1076-1573416545.590100@piVC.Y-1h.zrhB> User-Agent: Mutt/1.12.2 (2019-09-21) Hi Anthony, Anthony J. Bentley wrote on Sun, Nov 10, 2019 at 01:09:05PM -0700: > Ingo Schwarze writes: >> I think completely getting rid of style= isn't that hard, but i won't >> work too much on mandoc during a ports hackathon - so i have taken >> a TODO note for now (see below). > Then here's the new diff. I have installed that diff on man.openbsd.org for testing, and my impression is that it works as intended. Maybe you want to have a look at what that server now does, too, and if you are also satisfied, feel free to commit it. It may be only a few weeks until i come round to the style= cleanup, but why not make it better in the meantime. > (I removed the space after the semicolon as it's optional.) Actually (bikeshed), i'd prefer to have that space 'none'; " because it makes the header easier to read for humans (even though i admit not as many humans as browsers may be in the habit of reading HTTP headers), and for symmetry with the line just above (before "charset"). Yours, Ingo > Index: cgi.c > =================================================================== > RCS file: /cvs/src/usr.bin/mandoc/cgi.c,v > retrieving revision 1.106 > diff -u -p -r1.106 cgi.c > --- cgi.c 1 Oct 2019 17:54:04 -0000 1.106 > +++ cgi.c 10 Nov 2019 20:07:39 -0000 > @@ -336,6 +336,8 @@ resp_begin_http(int code, const char *ms > > printf("Content-Type: text/html; charset=utf-8\r\n" > "Cache-Control: no-cache\r\n" > + "Content-Security-Policy: default-src 'none';" > + "style-src 'self' 'unsafe-inline'\r\n" > "Pragma: no-cache\r\n" > "\r\n"); -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv