Add a Content-Security-Policy HTTP header that allows only CSS.

This ensures that in a modern browser that understands the header,
mandoc rendering bugs cannot possibly be interpreted as JavaScript.
Patch from bentley@.

diff --git a/cgi.c b/cgi.c
index 18b9379e765eb9e177ee8dea44ac73f6325e8e5b..6487bdcb66392f16a748d51642f50db10958592c 100644 (file)
--- a/cgi.c
+++ b/cgi.c
@@ -1,4 +1,4 @@
-/*     $Id: cgi.c,v 1.168 2019/10/01 17:54:14 schwarze Exp $ */
+/*     $Id: cgi.c,v 1.169 2019/11/10 22:35:25 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014-2019 Ingo Schwarze <schwarze@usta.de>
@@ -340,6 +340,8 @@ resp_begin_http(int code, const char *msg)
 
        printf("Content-Type: text/html; charset=utf-8\r\n"
             "Cache-Control: no-cache\r\n"
+            "Content-Security-Policy: default-src 'none'; "
+            "style-src 'self' 'unsafe-inline'\r\n"
             "Pragma: no-cache\r\n"
             "\r\n");