Fossil SCM
Further adjustments to the default CSP to allow in-line images.
Commit
c184d646c3e07259092aa668e6bf7edbeb27abc8e30c113c250a2d56b935415d
Parent
025a007249d3896…
3 files changed
+1
-1
+2
-2
+1
-1
M
src/db.c
+1
-1
| --- src/db.c | ||
| +++ src/db.c | ||
| @@ -4218,11 +4218,11 @@ | ||
| 4218 | 4218 | ** the following default Content Security Policy is used: |
| 4219 | 4219 | ** |
| 4220 | 4220 | ** default-src 'self' data:; |
| 4221 | 4221 | ** script-src 'self' 'nonce-$nonce'; |
| 4222 | 4222 | ** style-src 'self' 'unsafe-inline'; |
| 4223 | -** img-src *; | |
| 4223 | +** img-src * data:; | |
| 4224 | 4224 | ** |
| 4225 | 4225 | ** The default CSP is recommended. The main reason to change |
| 4226 | 4226 | ** this setting would be to add CDNs from which it is safe to |
| 4227 | 4227 | ** load additional content. |
| 4228 | 4228 | */ |
| 4229 | 4229 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -4218,11 +4218,11 @@ | |
| 4218 | ** the following default Content Security Policy is used: |
| 4219 | ** |
| 4220 | ** default-src 'self' data:; |
| 4221 | ** script-src 'self' 'nonce-$nonce'; |
| 4222 | ** style-src 'self' 'unsafe-inline'; |
| 4223 | ** img-src *; |
| 4224 | ** |
| 4225 | ** The default CSP is recommended. The main reason to change |
| 4226 | ** this setting would be to add CDNs from which it is safe to |
| 4227 | ** load additional content. |
| 4228 | */ |
| 4229 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -4218,11 +4218,11 @@ | |
| 4218 | ** the following default Content Security Policy is used: |
| 4219 | ** |
| 4220 | ** default-src 'self' data:; |
| 4221 | ** script-src 'self' 'nonce-$nonce'; |
| 4222 | ** style-src 'self' 'unsafe-inline'; |
| 4223 | ** img-src * data:; |
| 4224 | ** |
| 4225 | ** The default CSP is recommended. The main reason to change |
| 4226 | ** this setting would be to add CDNs from which it is safe to |
| 4227 | ** load additional content. |
| 4228 | */ |
| 4229 |
+2
-2
| --- src/style.c | ||
| +++ src/style.c | ||
| @@ -547,11 +547,11 @@ | ||
| 547 | 547 | ** default is used instead: |
| 548 | 548 | ** |
| 549 | 549 | ** default-src 'self' data:; |
| 550 | 550 | ** script-src 'self' 'nonce-$nonce'; |
| 551 | 551 | ** style-src 'self' 'unsafe-inline'; |
| 552 | -** img-src *; | |
| 552 | +** img-src * data:; | |
| 553 | 553 | ** |
| 554 | 554 | ** The text '$nonce' is replaced by style_nonce() if and whereever it |
| 555 | 555 | ** occurs in the input string. |
| 556 | 556 | ** |
| 557 | 557 | ** The string returned is obtained from fossil_malloc() and |
| @@ -560,11 +560,11 @@ | ||
| 560 | 560 | char *style_csp(int toHeader){ |
| 561 | 561 | static const char zBackupCSP[] = |
| 562 | 562 | "default-src 'self' data:; " |
| 563 | 563 | "script-src 'self' 'nonce-$nonce'; " |
| 564 | 564 | "style-src 'self' 'unsafe-inline'; " |
| 565 | - "img-src *"; | |
| 565 | + "img-src * data:"; | |
| 566 | 566 | const char *zFormat; |
| 567 | 567 | Blob csp; |
| 568 | 568 | char *zNonce; |
| 569 | 569 | char *zCsp; |
| 570 | 570 | int i; |
| 571 | 571 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -547,11 +547,11 @@ | |
| 547 | ** default is used instead: |
| 548 | ** |
| 549 | ** default-src 'self' data:; |
| 550 | ** script-src 'self' 'nonce-$nonce'; |
| 551 | ** style-src 'self' 'unsafe-inline'; |
| 552 | ** img-src *; |
| 553 | ** |
| 554 | ** The text '$nonce' is replaced by style_nonce() if and whereever it |
| 555 | ** occurs in the input string. |
| 556 | ** |
| 557 | ** The string returned is obtained from fossil_malloc() and |
| @@ -560,11 +560,11 @@ | |
| 560 | char *style_csp(int toHeader){ |
| 561 | static const char zBackupCSP[] = |
| 562 | "default-src 'self' data:; " |
| 563 | "script-src 'self' 'nonce-$nonce'; " |
| 564 | "style-src 'self' 'unsafe-inline'; " |
| 565 | "img-src *"; |
| 566 | const char *zFormat; |
| 567 | Blob csp; |
| 568 | char *zNonce; |
| 569 | char *zCsp; |
| 570 | int i; |
| 571 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -547,11 +547,11 @@ | |
| 547 | ** default is used instead: |
| 548 | ** |
| 549 | ** default-src 'self' data:; |
| 550 | ** script-src 'self' 'nonce-$nonce'; |
| 551 | ** style-src 'self' 'unsafe-inline'; |
| 552 | ** img-src * data:; |
| 553 | ** |
| 554 | ** The text '$nonce' is replaced by style_nonce() if and whereever it |
| 555 | ** occurs in the input string. |
| 556 | ** |
| 557 | ** The string returned is obtained from fossil_malloc() and |
| @@ -560,11 +560,11 @@ | |
| 560 | char *style_csp(int toHeader){ |
| 561 | static const char zBackupCSP[] = |
| 562 | "default-src 'self' data:; " |
| 563 | "script-src 'self' 'nonce-$nonce'; " |
| 564 | "style-src 'self' 'unsafe-inline'; " |
| 565 | "img-src * data:"; |
| 566 | const char *zFormat; |
| 567 | Blob csp; |
| 568 | char *zNonce; |
| 569 | char *zCsp; |
| 570 | int i; |
| 571 |
+1
-1
| --- www/defcsp.md | ||
| +++ www/defcsp.md | ||
| @@ -26,11 +26,11 @@ | ||
| 26 | 26 | |
| 27 | 27 | <pre> |
| 28 | 28 | default-src 'self' data:; |
| 29 | 29 | script-src 'self' 'nonce-$nonce'; |
| 30 | 30 | style-src 'self' 'unsafe-inline'; |
| 31 | - img-src *; | |
| 31 | + img-src * data:; | |
| 32 | 32 | </pre> |
| 33 | 33 | |
| 34 | 34 | The default is recommended for most installations. However, |
| 35 | 35 | the site administrators can overwrite this default DSP using the |
| 36 | 36 | [default-csp setting](/help?cmd=default-csp). For example, |
| 37 | 37 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -26,11 +26,11 @@ | |
| 26 | |
| 27 | <pre> |
| 28 | default-src 'self' data:; |
| 29 | script-src 'self' 'nonce-$nonce'; |
| 30 | style-src 'self' 'unsafe-inline'; |
| 31 | img-src *; |
| 32 | </pre> |
| 33 | |
| 34 | The default is recommended for most installations. However, |
| 35 | the site administrators can overwrite this default DSP using the |
| 36 | [default-csp setting](/help?cmd=default-csp). For example, |
| 37 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -26,11 +26,11 @@ | |
| 26 | |
| 27 | <pre> |
| 28 | default-src 'self' data:; |
| 29 | script-src 'self' 'nonce-$nonce'; |
| 30 | style-src 'self' 'unsafe-inline'; |
| 31 | img-src * data:; |
| 32 | </pre> |
| 33 | |
| 34 | The default is recommended for most installations. However, |
| 35 | the site administrators can overwrite this default DSP using the |
| 36 | [default-csp setting](/help?cmd=default-csp). For example, |
| 37 |