Fossil SCM
Added a section to the default CSP doc to document the changes made recently to that default CSP.
Commit
ab029e40ecfaf29eb1338e2468e0f4f0149bff61c9ce36ba3baf570469f49d80
Parent
a0788de83fcd55b…
1 file changed
+14
+14
| --- www/defcsp.md | ||
| +++ www/defcsp.md | ||
| @@ -76,10 +76,23 @@ | ||
| 76 | 76 | There are many other cases, [covered below](#serving). |
| 77 | 77 | |
| 78 | 78 | [b64]: https://en.wikipedia.org/wiki/Base64 |
| 79 | 79 | [svr]: ./server/ |
| 80 | 80 | |
| 81 | + | |
| 82 | +### <a name="img"></a> img-src * data: | |
| 83 | + | |
| 84 | +As of Fossil 2.15, we don’t restrict the source of inline images at all. | |
| 85 | +You can pull them in from remote systems as well as pull them from | |
| 86 | +within the Fossil repository itself, or use `data:` URIs. | |
| 87 | + | |
| 88 | +If you are certain all images come from only within the repository, you | |
| 89 | +can close off certain risks — tracking pixels, broken image format | |
| 90 | +decoders, system dialog box spoofing, etc. — by changing this to | |
| 91 | +“`img-src 'self'`” possibly followed by “`data:`” if you will also use | |
| 92 | +`data:` URIs. | |
| 93 | + | |
| 81 | 94 | |
| 82 | 95 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' |
| 83 | 96 | |
| 84 | 97 | This policy allows CSS information to come from separate files hosted |
| 85 | 98 | under the Fossil repo server’s Internet domain. It also allows inline CSS |
| @@ -96,10 +109,11 @@ | ||
| 96 | 109 | flexibility and the work-arounds are verbose and difficult to maintain. |
| 97 | 110 | Furthermore, the harm that can be done with style injections is far |
| 98 | 111 | less than the harm possible with injected javascript. And so the |
| 99 | 112 | `'unsafe-inline'` compromise is accepted for now, though it might |
| 100 | 113 | go away in some future release of Fossil. |
| 114 | + | |
| 101 | 115 | |
| 102 | 116 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 103 | 117 | |
| 104 | 118 | This policy disables in-line JavaScript and only allows `<script>` |
| 105 | 119 | elements if the `<script>` includes a `nonce` attribute that matches the |
| 106 | 120 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -76,10 +76,23 @@ | |
| 76 | There are many other cases, [covered below](#serving). |
| 77 | |
| 78 | [b64]: https://en.wikipedia.org/wiki/Base64 |
| 79 | [svr]: ./server/ |
| 80 | |
| 81 | |
| 82 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' |
| 83 | |
| 84 | This policy allows CSS information to come from separate files hosted |
| 85 | under the Fossil repo server’s Internet domain. It also allows inline CSS |
| @@ -96,10 +109,11 @@ | |
| 96 | flexibility and the work-arounds are verbose and difficult to maintain. |
| 97 | Furthermore, the harm that can be done with style injections is far |
| 98 | less than the harm possible with injected javascript. And so the |
| 99 | `'unsafe-inline'` compromise is accepted for now, though it might |
| 100 | go away in some future release of Fossil. |
| 101 | |
| 102 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 103 | |
| 104 | This policy disables in-line JavaScript and only allows `<script>` |
| 105 | elements if the `<script>` includes a `nonce` attribute that matches the |
| 106 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -76,10 +76,23 @@ | |
| 76 | There are many other cases, [covered below](#serving). |
| 77 | |
| 78 | [b64]: https://en.wikipedia.org/wiki/Base64 |
| 79 | [svr]: ./server/ |
| 80 | |
| 81 | |
| 82 | ### <a name="img"></a> img-src * data: |
| 83 | |
| 84 | As of Fossil 2.15, we don’t restrict the source of inline images at all. |
| 85 | You can pull them in from remote systems as well as pull them from |
| 86 | within the Fossil repository itself, or use `data:` URIs. |
| 87 | |
| 88 | If you are certain all images come from only within the repository, you |
| 89 | can close off certain risks — tracking pixels, broken image format |
| 90 | decoders, system dialog box spoofing, etc. — by changing this to |
| 91 | “`img-src 'self'`” possibly followed by “`data:`” if you will also use |
| 92 | `data:` URIs. |
| 93 | |
| 94 | |
| 95 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' |
| 96 | |
| 97 | This policy allows CSS information to come from separate files hosted |
| 98 | under the Fossil repo server’s Internet domain. It also allows inline CSS |
| @@ -96,10 +109,11 @@ | |
| 109 | flexibility and the work-arounds are verbose and difficult to maintain. |
| 110 | Furthermore, the harm that can be done with style injections is far |
| 111 | less than the harm possible with injected javascript. And so the |
| 112 | `'unsafe-inline'` compromise is accepted for now, though it might |
| 113 | go away in some future release of Fossil. |
| 114 | |
| 115 | |
| 116 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 117 | |
| 118 | This policy disables in-line JavaScript and only allows `<script>` |
| 119 | elements if the `<script>` includes a `nonce` attribute that matches the |
| 120 |