From: Ingo Schwarze <schwarze@openbsd.org>
Date: Sun, 10 Nov 2019 22:35:25 +0000 (+0000)
Subject: Add a Content-Security-Policy HTTP header that allows only CSS.
X-Git-Tag: VERSION_1_14_6~190
X-Git-Url: https://git.cameronkatri.com/mandoc.git/commitdiff_plain/89d32b9120ed7de9fe5283abc537b21bd0b8bde9

Add a Content-Security-Policy HTTP header that allows only CSS.
This ensures that in a modern browser that understands the header,
mandoc rendering bugs cannot possibly be interpreted as JavaScript.
Patch from bentley@.
---

diff --git a/cgi.c b/cgi.c
index 18b9379e..6487bdcb 100644
--- a/cgi.c
+++ b/cgi.c
@@ -1,4 +1,4 @@
-/*	$Id: cgi.c,v 1.168 2019/10/01 17:54:14 schwarze Exp $ */
+/*	$Id: cgi.c,v 1.169 2019/11/10 22:35:25 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014-2019 Ingo Schwarze <schwarze@usta.de>
@@ -340,6 +340,8 @@ resp_begin_http(int code, const char *msg)
 
 	printf("Content-Type: text/html; charset=utf-8\r\n"
 	     "Cache-Control: no-cache\r\n"
+	     "Content-Security-Policy: default-src 'none'; "
+	     "style-src 'self' 'unsafe-inline'\r\n"
 	     "Pragma: no-cache\r\n"
 	     "\r\n");