Fossil SCM
Correction and clarification of the use of unsafe-inline for style in the "defcsp.md" document.
Commit
baecb63d9b904ef4633affe9c120916f844713c9e08df029783da309f076782b
Parent
e73901f15c6797a…
1 file changed
+9
-12
+9
-12
| --- www/defcsp.md | ||
| +++ www/defcsp.md | ||
| @@ -93,26 +93,23 @@ | ||
| 93 | 93 | |
| 94 | 94 | This policy allows CSS information to come from separate files hosted |
| 95 | 95 | under the Fossil repo server’s Internet domain. It also allows inline CSS |
| 96 | 96 | `<style>` tags within the document text. |
| 97 | 97 | |
| 98 | -The `'unsafe-inline'` declaration excludes CSS within individual HTML | |
| 98 | +The `'unsafe-inline'` declaration allows CSS within individual HTML | |
| 99 | 99 | elements: |
| 100 | 100 | |
| 101 | 101 | <p style="margin-left: 4em">Indented text.</p> |
| 102 | 102 | |
| 103 | -Because this policy is weaker than [our default for script | |
| 104 | -elements](#script), there is the potential for an atacker to modify a | |
| 105 | -Fossil-generated page via CSS. While such page modifications are not as | |
| 106 | -dangerous as injected JavaScript, the real reason we allow it is that | |
| 107 | -Fossil still emits in-page `<style>` blocks in a few places. Over time, | |
| 108 | -we may work out ways to avoid each of these, which will eventually allow | |
| 109 | -us to tighten this CSP rule down to match the `script` rule. We | |
| 110 | -recommend that you do your own CSS modifications [via the skin][cs] | |
| 111 | -rather than depend on the ability to insert `<script>` blocks into | |
| 112 | -individual pages. | |
| 113 | - | |
| 103 | +As the "`unsafe-`" prefix on the name implies, the `'unsafe-inline'` | |
| 104 | +feature is suboptimal for security. However, there are | |
| 105 | +a few places in the Fossil-generated HTML that benefit from this | |
| 106 | +flexibility and the work-arounds are verbose and difficult to maintain. | |
| 107 | +Futhermore, the harm that can be done with style injections is far | |
| 108 | +less than the harm possible with injected javascript. And so the | |
| 109 | +`'unsafe-inline'` compromise is accepted for now, though it might | |
| 110 | +go away in some future release of Fossil. | |
| 114 | 111 | |
| 115 | 112 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 116 | 113 | |
| 117 | 114 | This policy disables in-line JavaScript and only allows `<script>` |
| 118 | 115 | elements if the `<script>` includes a `nonce` attribute that matches the |
| 119 | 116 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -93,26 +93,23 @@ | |
| 93 | |
| 94 | This policy allows CSS information to come from separate files hosted |
| 95 | under the Fossil repo server’s Internet domain. It also allows inline CSS |
| 96 | `<style>` tags within the document text. |
| 97 | |
| 98 | The `'unsafe-inline'` declaration excludes CSS within individual HTML |
| 99 | elements: |
| 100 | |
| 101 | <p style="margin-left: 4em">Indented text.</p> |
| 102 | |
| 103 | Because this policy is weaker than [our default for script |
| 104 | elements](#script), there is the potential for an atacker to modify a |
| 105 | Fossil-generated page via CSS. While such page modifications are not as |
| 106 | dangerous as injected JavaScript, the real reason we allow it is that |
| 107 | Fossil still emits in-page `<style>` blocks in a few places. Over time, |
| 108 | we may work out ways to avoid each of these, which will eventually allow |
| 109 | us to tighten this CSP rule down to match the `script` rule. We |
| 110 | recommend that you do your own CSS modifications [via the skin][cs] |
| 111 | rather than depend on the ability to insert `<script>` blocks into |
| 112 | individual pages. |
| 113 | |
| 114 | |
| 115 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 116 | |
| 117 | This policy disables in-line JavaScript and only allows `<script>` |
| 118 | elements if the `<script>` includes a `nonce` attribute that matches the |
| 119 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -93,26 +93,23 @@ | |
| 93 | |
| 94 | This policy allows CSS information to come from separate files hosted |
| 95 | under the Fossil repo server’s Internet domain. It also allows inline CSS |
| 96 | `<style>` tags within the document text. |
| 97 | |
| 98 | The `'unsafe-inline'` declaration allows CSS within individual HTML |
| 99 | elements: |
| 100 | |
| 101 | <p style="margin-left: 4em">Indented text.</p> |
| 102 | |
| 103 | As the "`unsafe-`" prefix on the name implies, the `'unsafe-inline'` |
| 104 | feature is suboptimal for security. However, there are |
| 105 | a few places in the Fossil-generated HTML that benefit from this |
| 106 | flexibility and the work-arounds are verbose and difficult to maintain. |
| 107 | Futhermore, the harm that can be done with style injections is far |
| 108 | less than the harm possible with injected javascript. And so the |
| 109 | `'unsafe-inline'` compromise is accepted for now, though it might |
| 110 | go away in some future release of Fossil. |
| 111 | |
| 112 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 113 | |
| 114 | This policy disables in-line JavaScript and only allows `<script>` |
| 115 | elements if the `<script>` includes a `nonce` attribute that matches the |
| 116 |