From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by mandoc.bsd.lv (OpenSMTPD) with ESMTP id e1f8d1d1 for ; Sun, 10 Nov 2019 08:02:53 -0500 (EST) Received: by mail-pg1-f169.google.com with SMTP id h27so7390995pgn.0 for ; Sun, 10 Nov 2019 05:02:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cathet-us.20150623.gappssmtp.com; s=20150623; h=sender:from:to:cc:subject:in-reply-to:references:comments :mime-version:content-id:date:message-id; bh=FWX0s9LhmGsNGuv8sHuAoU3jalfbcZPjWeKk/fotVoc=; b=HTq5ARyYxBNZpg1x/Hto4mFYFYHbY3xGxvKQPEq44+sZYdpR4NAowt0w/xZY8UcoGv ffjrdhz36nDtknuBpyg+lw9Qdxo2G3FXb6PeeFr/l0LFn0QvimSp1caYo1juT3N8YqiB ZOHNdq0gQvJACYxkqKJITtWrRkTk7skwJf5kgiohg+xiO9WmGtaW67LIVsQOQFU47NpV qjCIGD3UB3kLWguMTNkmj+10L+GkAZ21YP9Zpr3cBj1u6LGRzxyAX4IW3gE7HuvSLaIV WRDQ2q6z6VpHI8gD28FAIStV5AZM405HAwvkGppQwNx25fUNwbcUzSIFMh0AB11IgzY9 05Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:in-reply-to:references :comments:mime-version:content-id:date:message-id; bh=FWX0s9LhmGsNGuv8sHuAoU3jalfbcZPjWeKk/fotVoc=; b=l4BxgoFLE1lTjS6IspEeb7gMp/ZY8ZfCLew6hpH3h/uVkqk2o7oV9RorA/O2xpG6ml zMu2dNda2bTR/pFnClgwJrLDgDlWwLmHwes770kvJ1oyuUYhDlp1+hbs+q/ca8GkKO0p U7UF5iStYbynJsUI1FZ5xp/VnELEj8Z/WVXH8Nf5nHb4u5o7WsDINUjSNA1bc5yAzPns PURxwX3GnDoE+4XpU9nWv6g6TxmBNHe81shhTIgx/57EanxX2Fzut3zX6Q4X0+5tG61k Kyf5u629Cz3N/VyHM3EdC4JF1YLfvOtckNbZ2z+1uvmIDySlQndkThPa+YeaLprdD7Vk sw2g== X-Gm-Message-State: APjAAAXoHTcKf6mPxS15lNzC0oT1cZLgvbsqEi43U5ZITYkioYeVYf5u WP4yh9OzYbvaEhh6iHiyFNTf/GTiI8A= X-Google-Smtp-Source: APXvYqwfKxs8AXDMO1X50RJ0wp+qg3mwtBM0ol/xmfKphkn/HJ400nBJfZvBK+LGedPxI0RcfU/bSQ== X-Received: by 2002:a63:6f41:: with SMTP id k62mr5976330pgc.452.1573390971522; Sun, 10 Nov 2019 05:02:51 -0800 (PST) Received: from desktop.ajb.soy (174-28-243-81.albq.qwest.net. [174.28.243.81]) by smtp.gmail.com with ESMTPSA id i70sm3337413pge.14.2019.11.10.05.02.50 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 10 Nov 2019 05:02:51 -0800 (PST) Sender: "Anthony J. Bentley" Received: from desktop.ajb.soy (localhost [127.0.0.1]) by desktop.ajb.soy (OpenSMTPD) with ESMTP id 3f78c628; Sun, 10 Nov 2019 06:02:49 -0700 (MST) From: "Anthony J. Bentley" To: Ingo Schwarze cc: tech@mandoc.bsd.lv Subject: Re: Content-Security-Policy for man.cgi In-reply-to: <20191110102234.GC53073@athene.usta.de> References: <37020-1573376361.432557@hhtH.9ww_.rVWG> <20191110102234.GC53073@athene.usta.de> Comments: In-reply-to Ingo Schwarze message dated "Sun, 10 Nov 2019 11:22:34 +0100." X-Mailinglist: mandoc-tech Reply-To: tech@mandoc.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <24839.1573390969.1@desktop.ajb.soy> Date: Sun, 10 Nov 2019 06:02:49 -0700 Message-ID: <74937-1573390969.518612@LNmC.KNpy.68m_> Hi Ingo, Ingo Schwarze writes: > I tried to read the standard https://www.w3.org/TR/CSP/ > but miserably failed to understand anything because there > is so much indirection: "to do what defines > in section 1.17.42.0 to the objects > defines in section 4.3.2.1, use the methods described in > in section 36932451927, but only unless > the conditions explained in sections 666.0b and > apply." And when you follow the pointers, you only find > more indirections to yet more places... :-[ Hm, I guess I'm just used to reading W3C standards at this point. > Do you know a place where that stuff is explained in a more > accessible reference-manual style? https://content-security-policy.com/ perhaps? > > Since man.openbsd.org hosts manuals from many sources, and there's > > always danger of a bug in mandoc that allows dangerous HTML content > > through, a policy of "default-src 'none'; style-src 'self'" would be > > appropriate: this allows external stylesheets loaded from a URL on > > the same domain, but prohibits external links > > You mean, prohibits embedding content (not sure whether that is the > correct term) from other sites? Linking *to* other sites still > appears to be permitted... Sorry, that was jargon. I was referring to link elements here (as in: ""). > > and inline CSS; > > I do understand why inline CSS is bad style and can harm accessibility > and prevent formatting that is well adapted to the currently used > browsing device - but i fail to understand why a *security* > policy would worry about inline CSS. Isn't "inline" by definition > the most secure source of content conceivable? In short, because modern CSS is so featureful that it is a vector for XSS as much as JavaScript. I don't have any examples off the top of my head but I'm sure that's not such an unbelievable statement. > > scripts are not allowed at all. (mandoc(1) no longer generates > > inline styles at all, right?) > > In a very small number of places, it still does: > > mdoc_html.c, mdoc_it_pre(), LIST_tag, ROFFT_BODY: > print_otag(h, TAG_DD, "s", "width", "auto"); >
> > mdoc_html.c, mdoc_fn_pre(): > print_otag(h, TAG_VAR, "cs", "Fa", "white-space", "nowrap"); > > > tbl_html.c, html_tblopen(): > h->tblt = print_otag(h, TAG_TABLE, "c?ss", "tbl", ... > style="border-style: solid; border-top-style: double"> > > tbl_html.c, print_tbl(): > print_otag(h, TAG_TR, "ss", > "border-left-style", lborder, > "border-bottom-style", bborder); > > > tbl_html.c, print_tbl(): > print_otag(h, TAG_TD, "??sss", ... > It might be worth replacing these with stylesheet references for the sake of having a CSP strict enough to prevent malicious inline CSS in the manual body. But if not, we'll have to broaden the policy. Even a broad CSS policy is better because we still completely block JavaScript. > I think the semicolon in "'self';\r\n" isn't needed, right? It isn't needed. > By the way, could you check whether the CSP in > > https://mandoc.bsd.lv/cgi-bin/cvsweb/cvsweb.cgi?cvsroot=cvsweb#rev4.10 > > makes any sense? Seems conceptually fine, though again "style-src 'self'" is strictly better than "style-src 'unsafe-inline'" (but CVSWeb is not really designed for that). You'll notice that in the log you linked, images are blocked because they're from cvsweb.bsd.lv, not mandoc.bsd.lv, and don't count as 'self'. -- Anthony J. Bentley -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv