From: Mike Frysinger <vapier@gentoo.org>
To: overseers@sourceware.org
Subject: Content-Security-Policy on sourceware.org breaking HTML manuals
Date: Sun, 24 Dec 2023 20:15:24 -0500 [thread overview]
Message-ID: <ZYjXrGLz0Biq7P1Y@vapier> (raw)
[-- Attachment #1: Type: text/plain, Size: 1891 bytes --]
tl;dr: can we add "; style-src 'unsafe-inline' http: https:" to sourceware.org's CSP header ?
it seems a CSP header has been added to the sourceware.org web server at
some point and it breaks inline <style> in web pages. it breaks inline
<script> too, but that's prob for the best, and i'm not aware of cases
that are affected by this.
$ curl --HEAD https://sourceware.org/
HTTP/2 200
date: Mon, 25 Dec 2023 01:03:04 GMT
server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.74 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
accept-ranges: bytes
vary: Accept-Encoding
content-security-policy: default-src 'self' http: https:
strict-transport-security: max-age=16070400
content-type: text/html; charset=UTF-8
unfortunately, inline <style> is used in all HTML manuals generated by
GNU texinfo. you can see this by visiting the GDB manual:
https://sourceware.org/gdb/current/onlinedocs/gdb.html/
Chrome's devtools will show the warning:
> Refused to apply inline style because it violates the following Content Security Policy directive:
> "default-src 'self' http: https:". Either the 'unsafe-inline' keyword, a hash ('...'), or a
> nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not
> explicitly set, so 'default-src' is used as a fallback.
should we allow inline <style> for now on sourceware.org until we figure
out something better ? i think it would just be:
default-src 'self' http: https:; style-src 'unsafe-inline' http: https:
i grok that this disables one XSS protection, but i suspect its not a huge
concern for us ... we have bugzilla & wiki which hosts user-submitted content,
but the wiki at least is "trusted" devs, and bugzilla is normally programmed
with this stuff in mind.
a lot of these manuals are historical and would need manual regeneration
or hacking to use an external sheet.
-mike
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next reply other threads:[~2023-12-25 1:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-25 1:15 Mike Frysinger [this message]
2023-12-25 1:22 ` Frank Ch. Eigler
2023-12-25 2:01 ` Mike Frysinger
2023-12-25 9:28 ` Frank Ch. Eigler
2023-12-27 6:39 ` Mike Frysinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZYjXrGLz0Biq7P1Y@vapier \
--to=vapier@gentoo.org \
--cc=overseers@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).