From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=qVWU=IG=gentoo.org=vapier@sourceware.org>
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	by sourceware.org (Postfix) with ESMTP id BC52C3858C53
	for <overseers@sourceware.org>; Wed, 27 Dec 2023 06:39:17 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org BC52C3858C53
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gentoo.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gentoo.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org BC52C3858C53
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=140.211.166.183
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1703659161; cv=none;
	b=n+aItIM9Zo8MfB7nSDNGkWKnkLobIRkcmBx+NyftFQ6iGsjRQ5B1c7Prma9LuNJFImuZsstSnzbMQChYZJh5XHNtDutu9pZjhpNv6nmFiIHKgZJh5sPwVaIzdHhXLkLPSUmkScHmZkoKqONJrijcSW9KIbwlyR8LVj16W6hLmvk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1703659161; c=relaxed/simple;
	bh=KpS33kCc9RB3nMFf3dDosrgteSE1Y4EbE36hW2BUm3U=;
	h=Date:From:To:Subject:Message-ID:MIME-Version; b=uQ4TwGU4vKFo648xgk6Jk1V2BLoqvM4mjcfkhSuJdv9YDbmfZtyzCgltr6+FRC369JIrNhjrXoEzQNf909Z6Izj3sVnqcqDnVtFtGzfITWmghJ34doUVBCClyex8x5vqUxA/Krf4sK3Rhljl0nF7+KMJuaFRXE0Y9x2PuygsTvU=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by smtp.gentoo.org (Postfix, from userid 559)
	id 54C0134067D; Wed, 27 Dec 2023 06:39:17 +0000 (UTC)
Date: Wed, 27 Dec 2023 01:39:16 -0500
From: Mike Frysinger <vapier@gentoo.org>
To: "Frank Ch. Eigler" <fche@elastic.org>
Cc: Overseers mailing list <overseers@sourceware.org>
Subject: Re: Content-Security-Policy on sourceware.org breaking HTML manuals
Message-ID: <ZYvGlEerd28mcn63@vapier>
References: <ZYjXrGLz0Biq7P1Y@vapier>
 <ZYjZVt5EDr5yBNMM@elastic.org>
 <ZYjik8pHpNrC_i5N@vapier>
 <ZYlLV5GqJBMWkgXe@elastic.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="+CzqtBaY7eU/8PGr"
Content-Disposition: inline
In-Reply-To: <ZYlLV5GqJBMWkgXe@elastic.org>
X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <overseers.sourceware.org>


--+CzqtBaY7eU/8PGr
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 25 Dec 2023 04:28, Frank Ch. Eigler wrote:
> > [...] unfortunately, projects don't seem to be consistent here.  [...]
>=20
> Oh what a pity.
>=20
> https://content-security-policy.com/unsafe-inline/
> "The unsafe-inline keyword annuls most of the security benefits that
> Content-Security-Policy provide."

i noted this in my initial posting, but i don't think it's this dire.
pretty sure it isn't relevant to our static pages, only when there's
dynamic content that is possibly coming from users.  with that in mind ...

> Well, let me try adding some docs/manuals URL patterns.  But maybe we
> will need to bite the bullet and disable this gadget entirely.

at the very least, we could invert it.  i'm not familiar with what all is
hosted on sourceware.org, but the major things that involve user input can
all be easily matched.  so we can keep the strict CSP for them, but relax
it for everyone else.
	/bugzilla/*  -- the bugzilla instance
	*/wiki/*     -- every project's wiki
	/mailman/*   -- list archives & form/acct management

are there any other major services ?

although i think enforcing */manual/* on projects if they want to host
texinfo-generated manuals is reasonable, and aligns with gnu.org layouts.
shouldn't be hard</lastwords> to drop compat symlinks for projects who
aren't already doing this.
-mike

--+CzqtBaY7eU/8PGr
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEuQK1JxMl+JKsJRrUQWM7n+g39YEFAmWLxpQACgkQQWM7n+g3
9YFeIRAAxfBeZiwmdzkFjN601MC/mnyCH9OjpybS+q/4/RjrmbNAZFqaGr0d6oqm
01oeHirT91UI6u0ZuLfDL3AJ7NtkiqYYfnmJoFtNbHdmlQOpBHlqjfGgPpvlzJGu
z1KJl3G5wNRPYt3xdWmTjDcNWJM/jArXjc+s27KSe3AszNDhyVkZI7A+4oX2iA4O
Yv3j1aoOxYfOkgqUcK1rLM9/WTaEGwKGy2JWgmBJUO8vh32EP/VnAlnmtKu6pqdh
qmPExp0lhXZZungjYMBC+92tqs9O69/R/TpGgA1X5q0AMLrGh3qQxTjvxSvHmtk/
Q3pAfGdGnQHWcS8SjARM4+llcWEiGIyinXD/8GfcpnL1S6h5mT2XeoXuaCWe+v3K
mSshCD+zt/OOUYn7Gv5DK56X12YsiWM21+ILgP5RZz7W24OV9kS4bnXaUSkXo/dr
npOCFBobjbrJg8yLZXK0vwV1Ky28vnzKIKXpUu+E9Mv0pNP6iHhphLEULO9FwLFm
OxXSBNQ95ZPiJHKJuKzrNR3gyaEMbGHLBfZbyL1tXAo0ctoFIGmWiQQ+FH5QtUMA
nvRqRNNNqPVdPbfO6/L7R6Z172yijW8jk24+Md79uPcSTMHAwM5V7Jes1J/G77K+
T6RL+iQ2d9FvB1WlFAKnyMNho3ouKcCkpl6IBlZiViiNJTHWyNg=
=8Vdq
-----END PGP SIGNATURE-----

--+CzqtBaY7eU/8PGr--