Fossil SCM
Several small tweaks to defcsp.md
Commit
e73901f15c6797a9cce5692093b900fdf02ab4fb64438dff38f7796437cae61a
Parent
161958a49b7d284…
1 file changed
+12
-9
+12
-9
| --- www/defcsp.md | ||
| +++ www/defcsp.md | ||
| @@ -2,13 +2,15 @@ | ||
| 2 | 2 | |
| 3 | 3 | When Fossil’s web interface generates an HTML page, it normally includes |
| 4 | 4 | a [Content Security Policy][csp] (CSP) in the `<head>`. The CSP defines |
| 5 | 5 | a “white list” to tell the browser what types of content (HTML, images, |
| 6 | 6 | CSS, JavaScript...) the document may reference and the sources the |
| 7 | -browser is allowed to pull such content from. The aim is to prevent | |
| 7 | +browser is allowed to pull and interpret such content from. The aim is to prevent | |
| 8 | 8 | certain classes of [cross-site scripting][xss] (XSS) and code injection |
| 9 | -attacks. The browser will not pull content types disallowed by the CSP. | |
| 9 | +attacks. The browser will not pull content types disallowed by the CSP; | |
| 10 | +the CSP also adds restrictions on the types of inline content the | |
| 11 | +browser is allowed to interpret. | |
| 10 | 12 | |
| 11 | 13 | Fossil has built-in server-side content filtering logic. For example, it |
| 12 | 14 | purposely breaks `<script>` tags when it finds them in Markdown and |
| 13 | 15 | Fossil Wiki documents. (But not in [HTML-formatted embedded |
| 14 | 16 | docs][hfed]!) We also back that with multiple levels of analysis and |
| @@ -26,15 +28,16 @@ | ||
| 26 | 28 | to some extent, a reactive posture. It is cold comfort if Fossil’s |
| 27 | 29 | developers react quickly to a report of code injection — as we do! — if |
| 28 | 30 | the bad guys learn of it and start exploiting it first. |
| 29 | 31 | |
| 30 | 32 | Second, Fossil has purposefully powerful features that are inherently |
| 31 | -difficult to police from the server side: HTML [in wiki](/wiki_rules) | |
| 32 | -and [in Markdown](/md_rules) docs, [TH1 docs](./th1.md), etc. | |
| 33 | +difficult to police from the server side: HTML tags [in wiki](/wiki_rules) | |
| 34 | +and [in Markdown](/md_rules) docs, [TH1 docs](./th1.md), the Admin → | |
| 35 | +Wiki → “Use HTML as wiki markup language” mode, etc. | |
| 33 | 36 | |
| 34 | -Fossil’s strong default CSP adds client-side filtering to backstop our | |
| 35 | -server-side measures. | |
| 37 | +Fossil’s strong default CSP adds client-side filtering as a backstop for | |
| 38 | +all of this. | |
| 36 | 39 | |
| 37 | 40 | Fossil site administrators can [modify the default CSP](#override), perhaps |
| 38 | 41 | to add trusted external sources for auxiliary content. But for maximum |
| 39 | 42 | safety, site developers are encouraged to work within the restrictions |
| 40 | 43 | imposed by the default CSP and avoid the temptation to relax the CSP |
| @@ -58,11 +61,11 @@ | ||
| 58 | 61 |  |
| 59 | 62 | |
| 60 | 63 | If you look in the browser’s developer console, you should see a CSP |
| 61 | 64 | error when attempting to render such a page. |
| 62 | 65 | |
| 63 | -The default policy does allows inline `data:` URIs, which means you could | |
| 66 | +The default policy does allow inline `data:` URIs, which means you could | |
| 64 | 67 | [data-encode][de] your image content and put it inline within the |
| 65 | 68 | document: |
| 66 | 69 | |
| 67 | 70 |  |
| 68 | 71 | |
| @@ -87,12 +90,12 @@ | ||
| 87 | 90 | |
| 88 | 91 | |
| 89 | 92 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' |
| 90 | 93 | |
| 91 | 94 | This policy allows CSS information to come from separate files hosted |
| 92 | -under the Fossil repo server’s Internet domain, or for CSS to be | |
| 93 | -embedded within `<style>` tags within the document text. | |
| 95 | +under the Fossil repo server’s Internet domain. It also allows inline CSS | |
| 96 | +`<style>` tags within the document text. | |
| 94 | 97 | |
| 95 | 98 | The `'unsafe-inline'` declaration excludes CSS within individual HTML |
| 96 | 99 | elements: |
| 97 | 100 | |
| 98 | 101 | <p style="margin-left: 4em">Indented text.</p> |
| 99 | 102 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -2,13 +2,15 @@ | |
| 2 | |
| 3 | When Fossil’s web interface generates an HTML page, it normally includes |
| 4 | a [Content Security Policy][csp] (CSP) in the `<head>`. The CSP defines |
| 5 | a “white list” to tell the browser what types of content (HTML, images, |
| 6 | CSS, JavaScript...) the document may reference and the sources the |
| 7 | browser is allowed to pull such content from. The aim is to prevent |
| 8 | certain classes of [cross-site scripting][xss] (XSS) and code injection |
| 9 | attacks. The browser will not pull content types disallowed by the CSP. |
| 10 | |
| 11 | Fossil has built-in server-side content filtering logic. For example, it |
| 12 | purposely breaks `<script>` tags when it finds them in Markdown and |
| 13 | Fossil Wiki documents. (But not in [HTML-formatted embedded |
| 14 | docs][hfed]!) We also back that with multiple levels of analysis and |
| @@ -26,15 +28,16 @@ | |
| 26 | to some extent, a reactive posture. It is cold comfort if Fossil’s |
| 27 | developers react quickly to a report of code injection — as we do! — if |
| 28 | the bad guys learn of it and start exploiting it first. |
| 29 | |
| 30 | Second, Fossil has purposefully powerful features that are inherently |
| 31 | difficult to police from the server side: HTML [in wiki](/wiki_rules) |
| 32 | and [in Markdown](/md_rules) docs, [TH1 docs](./th1.md), etc. |
| 33 | |
| 34 | Fossil’s strong default CSP adds client-side filtering to backstop our |
| 35 | server-side measures. |
| 36 | |
| 37 | Fossil site administrators can [modify the default CSP](#override), perhaps |
| 38 | to add trusted external sources for auxiliary content. But for maximum |
| 39 | safety, site developers are encouraged to work within the restrictions |
| 40 | imposed by the default CSP and avoid the temptation to relax the CSP |
| @@ -58,11 +61,11 @@ | |
| 58 |  |
| 59 | |
| 60 | If you look in the browser’s developer console, you should see a CSP |
| 61 | error when attempting to render such a page. |
| 62 | |
| 63 | The default policy does allows inline `data:` URIs, which means you could |
| 64 | [data-encode][de] your image content and put it inline within the |
| 65 | document: |
| 66 | |
| 67 |  |
| 68 | |
| @@ -87,12 +90,12 @@ | |
| 87 | |
| 88 | |
| 89 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' |
| 90 | |
| 91 | This policy allows CSS information to come from separate files hosted |
| 92 | under the Fossil repo server’s Internet domain, or for CSS to be |
| 93 | embedded within `<style>` tags within the document text. |
| 94 | |
| 95 | The `'unsafe-inline'` declaration excludes CSS within individual HTML |
| 96 | elements: |
| 97 | |
| 98 | <p style="margin-left: 4em">Indented text.</p> |
| 99 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -2,13 +2,15 @@ | |
| 2 | |
| 3 | When Fossil’s web interface generates an HTML page, it normally includes |
| 4 | a [Content Security Policy][csp] (CSP) in the `<head>`. The CSP defines |
| 5 | a “white list” to tell the browser what types of content (HTML, images, |
| 6 | CSS, JavaScript...) the document may reference and the sources the |
| 7 | browser is allowed to pull and interpret such content from. The aim is to prevent |
| 8 | certain classes of [cross-site scripting][xss] (XSS) and code injection |
| 9 | attacks. The browser will not pull content types disallowed by the CSP; |
| 10 | the CSP also adds restrictions on the types of inline content the |
| 11 | browser is allowed to interpret. |
| 12 | |
| 13 | Fossil has built-in server-side content filtering logic. For example, it |
| 14 | purposely breaks `<script>` tags when it finds them in Markdown and |
| 15 | Fossil Wiki documents. (But not in [HTML-formatted embedded |
| 16 | docs][hfed]!) We also back that with multiple levels of analysis and |
| @@ -26,15 +28,16 @@ | |
| 28 | to some extent, a reactive posture. It is cold comfort if Fossil’s |
| 29 | developers react quickly to a report of code injection — as we do! — if |
| 30 | the bad guys learn of it and start exploiting it first. |
| 31 | |
| 32 | Second, Fossil has purposefully powerful features that are inherently |
| 33 | difficult to police from the server side: HTML tags [in wiki](/wiki_rules) |
| 34 | and [in Markdown](/md_rules) docs, [TH1 docs](./th1.md), the Admin → |
| 35 | Wiki → “Use HTML as wiki markup language” mode, etc. |
| 36 | |
| 37 | Fossil’s strong default CSP adds client-side filtering as a backstop for |
| 38 | all of this. |
| 39 | |
| 40 | Fossil site administrators can [modify the default CSP](#override), perhaps |
| 41 | to add trusted external sources for auxiliary content. But for maximum |
| 42 | safety, site developers are encouraged to work within the restrictions |
| 43 | imposed by the default CSP and avoid the temptation to relax the CSP |
| @@ -58,11 +61,11 @@ | |
| 61 |  |
| 62 | |
| 63 | If you look in the browser’s developer console, you should see a CSP |
| 64 | error when attempting to render such a page. |
| 65 | |
| 66 | The default policy does allow inline `data:` URIs, which means you could |
| 67 | [data-encode][de] your image content and put it inline within the |
| 68 | document: |
| 69 | |
| 70 |  |
| 71 | |
| @@ -87,12 +90,12 @@ | |
| 90 | |
| 91 | |
| 92 | ### <a name="style"></a> style-src 'self' 'unsafe-inline' |
| 93 | |
| 94 | This policy allows CSS information to come from separate files hosted |
| 95 | under the Fossil repo server’s Internet domain. It also allows inline CSS |
| 96 | `<style>` tags within the document text. |
| 97 | |
| 98 | The `'unsafe-inline'` declaration excludes CSS within individual HTML |
| 99 | elements: |
| 100 | |
| 101 | <p style="margin-left: 4em">Indented text.</p> |
| 102 |