From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by sourceware.org (Postfix) with ESMTPS id 130A33858D20 for ; Thu, 10 Nov 2022 10:36:02 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 130A33858D20 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.cz Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id C9BAD22D9F; Thu, 10 Nov 2022 10:36:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1668076560; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SPQQM2LmiACuPuCuE9y1YAQWCmRf0pSlH9ZxU9d1lS8=; b=LFwZY+ZXNE7dt+zWo8Bp0Xd4Y++lZrGAHKnJgw10yNq+W4ATjc21Z2AAeNE6g/Uk6Zfc8r qDyOE1VIxTgiovLTEP8xemOCjCZOLHPizbGtc5VNrhO6EoCUFVlfEUuj4/AYHdwO/adnKQ R7Sw3FjWZ07QmZXil4RTu0Ze+VnW5xg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1668076560; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SPQQM2LmiACuPuCuE9y1YAQWCmRf0pSlH9ZxU9d1lS8=; b=bVxOomW+ZvzFasegyfwMtg0Drt4MgOqe5UYf98H9ZwVUPTSa1Dj8ABoA7CyLTnniUrmXj+ xAxrAzgT/eya0JDQ== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id AA72613B58; Thu, 10 Nov 2022 10:36:00 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id mFSjKBDUbGNyEwAAMHmgww (envelope-from ); Thu, 10 Nov 2022 10:36:00 +0000 Message-ID: <457a6a03-91ae-8d5b-1f5b-1a5c9afa924e@suse.cz> Date: Thu, 10 Nov 2022 11:36:00 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Subject: Re: [DOCS] sphinx: use new Sphinx links Content-Language: en-US To: Gerald Pfeifer Cc: gcc-patches@gcc.gnu.org References: <482ae3dd-15f7-1e81-92e6-51a148e3bbc4@suse.cz> <2832f3b5-f815-3922-3681-edd55ca04dd5@suse.cz> <1656d2ca-f3b3-b46e-cf16-a6798e10deb1@suse.cz> <9c9b4969-dc72-a93b-335b-d72346bb437e@pfeifer.com> <8ae80e2a-9f49-4ebf-d7f0-815d32919573@suse.cz> <39fb5822-95aa-037a-5ac7-865e9096ff9f@pfeifer.com> <638cad2d-9463-ad35-4b67-d18b42027521@pfeifer.com> From: =?UTF-8?Q?Martin_Li=c5=a1ka?= In-Reply-To: <638cad2d-9463-ad35-4b67-d18b42027521@pfeifer.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_SHORT,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 11/10/22 11:03, Gerald Pfeifer wrote: > On Thu, 10 Nov 2022, Martin Liška wrote: >>> https://gcc.gnu.org/install/ is back with a new face. >> But it's not working properly due to some Content Security Policy: > > Hmm, it worked in my testing before and I just tried again: > > Firefox 106.0.1 (64-bit) and now also Chrome 106.0.5249.119 > and w3m. > > Which browser are you using? Any particular add-ons or special security > settings? > >> Refused to apply inline style because it violates the following Content >> Security Policy directive: "default-src 'self' http: https:". Either the >> 'unsafe-inline' keyword, a hash >> ('sha256-wAI2VKPX8IUBbq55XacEljWEKQc4Xc1nmwVsAjAplNU='), or a nonce >> ('nonce-...') is required to enable inline execution. Note also that >> 'style-src' was not explicitly set, so 'default-src' is used as a fallback. > > That looks like it's related to some Javascript fun? Does sphinx pull in > something? Ohhhh, it does. A lot. > > I'm not using any Javascript blocker, though, so not sure why I am not > seeing any such warnings? > > Searching for "+sphinx" and this message did not result in anything. > > (It feels a bit curious how the position in the web server's file system > or a symlink could trigger something like that?) > > > Looking at the source code of index.html I am wondering about > > > > versus all the .js inclusions later on. > > And https://validator.w3.org/nu/?doc=https%3A%2F%2Fgcc.gnu.org%2Finstall%2F > and https://validator.w3.org/nu/?doc=https%3A%2F%2Fgcc.gnu.org%2Fonlinedocs%2Finstall%2F > appear equally (un)happy. > > Gerald Well, I can also reproduce it on my mobile phone. Anyway, the difference is: $ curl https://gcc.gnu.org/install/index.html -v &> bad.txt $ curl https://gcc.gnu.org/onlinedocs/install/index.html -v &> good.txt $ diff -u good.txt bad.txt --- good.txt 2022-11-10 11:33:45.293631904 +0100 +++ bad.txt 2022-11-10 11:33:37.813669264 +0100 @@ -32,31 +32,32 @@ * subjectAltName: host "gcc.gnu.org" matched cert's "gcc.gnu.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Using HTTP2, server supports multiplexing +* Using HTTP2, server supports multiplexing * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 } [5 bytes data] * h2h3 [:method: GET] -* h2h3 [:path: /onlinedocs/install/index.html] +* h2h3 [:path: /install/index.html] * h2h3 [:scheme: https] * h2h3 [:authority: gcc.gnu.org] * h2h3 [user-agent: curl/7.86.0] * h2h3 [accept: */*] * Using Stream ID: 1 (easy handle 0x5555555bf890) } [5 bytes data] -> GET /onlinedocs/install/index.html HTTP/2 +> GET /install/index.html HTTP/2 > Host: gcc.gnu.org > user-agent: curl/7.86.0 > accept: */* > { [5 bytes data] < HTTP/2 200 -< date: Thu, 10 Nov 2022 10:33:45 GMT +< date: Thu, 10 Nov 2022 10:33:37 GMT < server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.70 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3 < last-modified: Wed, 09 Nov 2022 18:51:10 GMT < etag: "8232-5ed0e23e07250" < accept-ranges: bytes < content-length: 33330 < vary: Accept-Encoding +< content-security-policy: default-src 'self' http: https: < strict-transport-security: max-age=16070400 < content-type: text/html; charset=utf-8 < @@ -485,7 +486,7 @@ 100 33330 100 33330 0 0 61514 0 --:--:-- --:--:-- --:--:-- 61494 100 33330 100 33330 0 0 62652 0 --:--:-- --:--:-- --:--:-- 62768 * Connection #0 to host gcc.gnu.org left intact v> ======= See that the problematic for some reason uses "content-security-policy: default-src 'self' http: https:". And it uses 'Using HTTP2, server supports multiplexing' Martin