On 25 Dec 2023 04:28, Frank Ch. Eigler wrote:
> > [...] unfortunately, projects don't seem to be consistent here.  [...]
> 
> Oh what a pity.
> 
> https://content-security-policy.com/unsafe-inline/
> "The unsafe-inline keyword annuls most of the security benefits that
> Content-Security-Policy provide."

i noted this in my initial posting, but i don't think it's this dire.
pretty sure it isn't relevant to our static pages, only when there's
dynamic content that is possibly coming from users.  with that in mind ...

> Well, let me try adding some docs/manuals URL patterns.  But maybe we
> will need to bite the bullet and disable this gadget entirely.

at the very least, we could invert it.  i'm not familiar with what all is
hosted on sourceware.org, but the major things that involve user input can
all be easily matched.  so we can keep the strict CSP for them, but relax
it for everyone else.
	/bugzilla/*  -- the bugzilla instance
	*/wiki/*     -- every project's wiki
	/mailman/*   -- list archives & form/acct management

are there any other major services ?

although i think enforcing */manual/* on projects if they want to host
texinfo-generated manuals is reasonable, and aligns with gnu.org layouts.
shouldn't be hard</lastwords> to drop compat symlinks for projects who
aren't already doing this.
-mike