Fossil SCM
Reworked the material explaining why in-page <style> is currently allowed by Fossil's default CSP to make it clearer that this is most likely a temporary situation and that local custom CSS should go in the skin instead.
Commit
092eeebf40d66bf302d152eeb752ef80c83afb052a10a6b09eaeac5c8d36f527
Parent
23fcd765f6183aa…
1 file changed
+20
-11
+20
-11
| --- www/defcsp.md | ||
| +++ www/defcsp.md | ||
| @@ -117,21 +117,30 @@ | ||
| 117 | 117 | [svr]: ./server/ |
| 118 | 118 | |
| 119 | 119 | |
| 120 | 120 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' |
| 121 | 121 | |
| 122 | -This policy allows CSS information to come from separate files in the | |
| 123 | -same domain of the Fossil server, or for CSS to be embedded inline within | |
| 124 | -the document text. | |
| 125 | - | |
| 126 | -The `'unsafe-inline'` element means that an injection vulnerability in | |
| 127 | -Fossil would allow an attacker to modify the CSS for a Fossil-generated | |
| 128 | -page. This is not ideal, but nor is it as dangerous as allowing | |
| 129 | -injected javascript to run, and Fossil uses of in-line CSS | |
| 130 | -for things like setting background colors in timelines and defining | |
| 131 | -line widths in bar graphs on the [Activity Reports](/reports) page, | |
| 132 | -so it seems like in-line CSS is a necessary compromise at this time. | |
| 122 | +This policy allows CSS information to come from separate files hosted | |
| 123 | +under the Fossil repo server’s Internet domain, or for CSS to be | |
| 124 | +embedded within `<style>` tags within the document text. | |
| 125 | + | |
| 126 | +The `'unsafe-inline'` declaration excludes CSS within individual HTML | |
| 127 | +elements: | |
| 128 | + | |
| 129 | + <p style="margin-left: 4em">Indented text.</p> | |
| 130 | + | |
| 131 | +Because this policy is weaker than [our default for script | |
| 132 | +elements](#script), there is the potential for an atacker to modify a | |
| 133 | +Fossil-generated page via CSS. While such page modifications are not as | |
| 134 | +dangerous as injected JavaScript, the real reason we allow it is that | |
| 135 | +Fossil still emits in-page `<style>` blocks in a few places. Over time, | |
| 136 | +we may work out ways to avoid each of these, which will eventually allow | |
| 137 | +us to tighten this CSP rule down to match the `script` rule. We | |
| 138 | +recommend that you do your own CSS modifications [via the skin][cs] | |
| 139 | +rather than depend on the ability to insert `<script>` blocks into | |
| 140 | +individual pages. | |
| 141 | + | |
| 133 | 142 | |
| 134 | 143 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 135 | 144 | |
| 136 | 145 | This policy disables in-line javascript and only allows `<script>` |
| 137 | 146 | elements if the `<script>` includes a `nonce=` attribute the |
| 138 | 147 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -117,21 +117,30 @@ | |
| 117 | [svr]: ./server/ |
| 118 | |
| 119 | |
| 120 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' |
| 121 | |
| 122 | This policy allows CSS information to come from separate files in the |
| 123 | same domain of the Fossil server, or for CSS to be embedded inline within |
| 124 | the document text. |
| 125 | |
| 126 | The `'unsafe-inline'` element means that an injection vulnerability in |
| 127 | Fossil would allow an attacker to modify the CSS for a Fossil-generated |
| 128 | page. This is not ideal, but nor is it as dangerous as allowing |
| 129 | injected javascript to run, and Fossil uses of in-line CSS |
| 130 | for things like setting background colors in timelines and defining |
| 131 | line widths in bar graphs on the [Activity Reports](/reports) page, |
| 132 | so it seems like in-line CSS is a necessary compromise at this time. |
| 133 | |
| 134 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 135 | |
| 136 | This policy disables in-line javascript and only allows `<script>` |
| 137 | elements if the `<script>` includes a `nonce=` attribute the |
| 138 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -117,21 +117,30 @@ | |
| 117 | [svr]: ./server/ |
| 118 | |
| 119 | |
| 120 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' |
| 121 | |
| 122 | This policy allows CSS information to come from separate files hosted |
| 123 | under the Fossil repo server’s Internet domain, or for CSS to be |
| 124 | embedded within `<style>` tags within the document text. |
| 125 | |
| 126 | The `'unsafe-inline'` declaration excludes CSS within individual HTML |
| 127 | elements: |
| 128 | |
| 129 | <p style="margin-left: 4em">Indented text.</p> |
| 130 | |
| 131 | Because this policy is weaker than [our default for script |
| 132 | elements](#script), there is the potential for an atacker to modify a |
| 133 | Fossil-generated page via CSS. While such page modifications are not as |
| 134 | dangerous as injected JavaScript, the real reason we allow it is that |
| 135 | Fossil still emits in-page `<style>` blocks in a few places. Over time, |
| 136 | we may work out ways to avoid each of these, which will eventually allow |
| 137 | us to tighten this CSP rule down to match the `script` rule. We |
| 138 | recommend that you do your own CSS modifications [via the skin][cs] |
| 139 | rather than depend on the ability to insert `<script>` blocks into |
| 140 | individual pages. |
| 141 | |
| 142 | |
| 143 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 144 | |
| 145 | This policy disables in-line javascript and only allows `<script>` |
| 146 | elements if the `<script>` includes a `nonce=` attribute the |
| 147 |