From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=+/1n=IE=gentoo.org=vapier@sourceware.org>
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	by sourceware.org (Postfix) with ESMTP id 8CC733858C98
	for <overseers@sourceware.org>; Mon, 25 Dec 2023 01:15:26 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 8CC733858C98
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gentoo.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gentoo.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 8CC733858C98
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=140.211.166.183
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1703466929; cv=none;
	b=UqOFfko6v99EQojA+kYX62S24sHcygoi0z4H2muISPbVU7P6HCSb2/CbJ+111dSsjPRgl5XL0b5o6DOm3jKzqqNftIrNWvGoNo1SsDYga7+NNf0j9Hfqv62VpYUtDHj5oTTnnxZ16aT2p2PcGzywuW5YYsCrQdLKqLo5zAqoQDM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1703466929; c=relaxed/simple;
	bh=4/DXqVEq0gmoU8VeAo4M0+8f8lkrkJJJIAYZcDqzyAE=;
	h=Date:From:To:Subject:Message-ID:MIME-Version; b=WZ9b/W9eLYdjkZZ4sFlJXfA8moVsfuR3j709qX70Fu7NdIi8M3W2Aa4/Yln9gcAzsJSsZtj5/kAdC3V/qvKRWHIM9IdCctS69FHx8KHurVjlWRm+bG0Dj9k7LMxMXlLBvXUcuYsjhRV4GeLKYflgKmDosglEz5TXKtH7JZuckkw=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by smtp.gentoo.org (Postfix, from userid 559)
	id 197D933E3A9; Mon, 25 Dec 2023 01:15:26 +0000 (UTC)
Date: Sun, 24 Dec 2023 20:15:24 -0500
From: Mike Frysinger <vapier@gentoo.org>
To: overseers@sourceware.org
Subject: Content-Security-Policy on sourceware.org breaking HTML manuals
Message-ID: <ZYjXrGLz0Biq7P1Y@vapier>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="o5fyxo1NwWkGf7HK"
Content-Disposition: inline
X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <overseers.sourceware.org>


--o5fyxo1NwWkGf7HK
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

tl;dr: can we add "; style-src 'unsafe-inline' http: https:" to sourceware.org's CSP header ?

it seems a CSP header has been added to the sourceware.org web server at
some point and it breaks inline <style> in web pages.  it breaks inline
<script> too, but that's prob for the best, and i'm not aware of cases
that are affected by this.

$ curl --HEAD https://sourceware.org/
HTTP/2 200
date: Mon, 25 Dec 2023 01:03:04 GMT
server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.74 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
accept-ranges: bytes
vary: Accept-Encoding
content-security-policy: default-src 'self' http: https:
strict-transport-security: max-age=16070400
content-type: text/html; charset=UTF-8

unfortunately, inline <style> is used in all HTML manuals generated by
GNU texinfo.  you can see this by visiting the GDB manual:
	https://sourceware.org/gdb/current/onlinedocs/gdb.html/

Chrome's devtools will show the warning:
> Refused to apply inline style because it violates the following Content Security Policy directive:
> "default-src 'self' http: https:". Either the 'unsafe-inline' keyword, a hash ('...'), or a
> nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not
> explicitly set, so 'default-src' is used as a fallback.

should we allow inline <style> for now on sourceware.org until we figure
out something better ?  i think it would just be:
	default-src 'self' http: https:; style-src 'unsafe-inline' http: https:

i grok that this disables one XSS protection, but i suspect its not a huge
concern for us ... we have bugzilla & wiki which hosts user-submitted content,
but the wiki at least is "trusted" devs, and bugzilla is normally programmed
with this stuff in mind.

a lot of these manuals are historical and would need manual regeneration
or hacking to use an external sheet.
-mike

--o5fyxo1NwWkGf7HK
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEuQK1JxMl+JKsJRrUQWM7n+g39YEFAmWI16wACgkQQWM7n+g3
9YF0QA/9GthNY8bHKHzTe4kwIECh3jBVHZ4MQNP7Bi+L2jNohSbVQSPob9YW6Z7Y
H1v/mUp4jmgpU768sG3o308M/5+UylL7oBVryfLmlqJ532aDbpbpquWM0NkWUmKJ
WrheVgccMPDQoNooNzxxC1bNmd1t/afj4XDqqM142yodCtTlFGYKqYW3qVQxaTQV
k64dFPCwH9oXD6KxY8av6JXIpX9BRrRBa0Yzk6f6gYbysGFyb0ehJk8EeUtIBgI/
CYL93kDNFkYCsfuT33YuoPWEjTCIMvuBOpMFR2gYUFEhSnMSvcYKmRp6ZamzSGis
raJxS0c3v+9f+hC7mLZhYXQ9OLS2eviokpQ7buBHJ14Ra8NkLESKEa4qGZnibg9o
x36Xqzwq5souyRVDnd5I67ZBISAIjtA1XEcWxSUZuyYpZ0wydv4xVnO1bZdLva6P
TkUrIkkXA8TYJJQBKYJ2L+sH+MnWb6h3R0HC1D7tZH2+gcePeWp+jHBStGLgIo6g
87de+ALjyrd5ARKmlH3T87wzLRrq1EfXj7JVhEGeAu8ntl2QBBmodJzuJ2iw4IBA
4IWDIZHK6Z1o3OJAXt2qg9/JZBHtYPw6xMapDc55CnzDBWyldBo3WNzHI1cwAA3U
wwwRxUWJ4mjsh2JvGx/alEEQNP0kqIGZehU5l7lXa64og3ZOfy8=
=qK9P
-----END PGP SIGNATURE-----

--o5fyxo1NwWkGf7HK--