Fossil SCM
Added a header to the new XSS material in defcsp.md so we can refer directly to it.
Commit
7b843f2d4354a4965f9ff940c31f0c103cc7f84db9f84e669754c5604dcf7fbf
Parent
8d43bb8786772d5…
1 file changed
+3
+3
| --- www/defcsp.md | ||
| +++ www/defcsp.md | ||
| @@ -105,10 +105,13 @@ | ||
| 105 | 105 | JavaScript by [defining a custom skin][cs], adding it to the skin’s |
| 106 | 106 | “JavaScript” section, which has the random nonce automatically inserted |
| 107 | 107 | by Fossil when it serves the page. This is how the JS backing the |
| 108 | 108 | default skin’s [hamburger menu](./customskin.md#menu) works. |
| 109 | 109 | |
| 110 | + | |
| 111 | +#### <a name="xss"></a>Cross-Site Scripting via Ordinary User Capabilities | |
| 112 | + | |
| 110 | 113 | We’re so restrictive about how we treat JavaScript because it can lead |
| 111 | 114 | to difficult-to-avoid scripting attacks. If we used the same CSP for |
| 112 | 115 | `<script>` tags [as for `<style>` tags](#style), anyone with check-in |
| 113 | 116 | rights on your repository could add a JavaScript file to your repository |
| 114 | 117 | and then refer to it from other content added to the site. Since |
| 115 | 118 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -105,10 +105,13 @@ | |
| 105 | JavaScript by [defining a custom skin][cs], adding it to the skin’s |
| 106 | “JavaScript” section, which has the random nonce automatically inserted |
| 107 | by Fossil when it serves the page. This is how the JS backing the |
| 108 | default skin’s [hamburger menu](./customskin.md#menu) works. |
| 109 | |
| 110 | We’re so restrictive about how we treat JavaScript because it can lead |
| 111 | to difficult-to-avoid scripting attacks. If we used the same CSP for |
| 112 | `<script>` tags [as for `<style>` tags](#style), anyone with check-in |
| 113 | rights on your repository could add a JavaScript file to your repository |
| 114 | and then refer to it from other content added to the site. Since |
| 115 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -105,10 +105,13 @@ | |
| 105 | JavaScript by [defining a custom skin][cs], adding it to the skin’s |
| 106 | “JavaScript” section, which has the random nonce automatically inserted |
| 107 | by Fossil when it serves the page. This is how the JS backing the |
| 108 | default skin’s [hamburger menu](./customskin.md#menu) works. |
| 109 | |
| 110 | |
| 111 | #### <a name="xss"></a>Cross-Site Scripting via Ordinary User Capabilities |
| 112 | |
| 113 | We’re so restrictive about how we treat JavaScript because it can lead |
| 114 | to difficult-to-avoid scripting attacks. If we used the same CSP for |
| 115 | `<script>` tags [as for `<style>` tags](#style), anyone with check-in |
| 116 | rights on your repository could add a JavaScript file to your repository |
| 117 | and then refer to it from other content added to the site. Since |
| 118 |