From 89d32b9120ed7de9fe5283abc537b21bd0b8bde9 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Sun, 10 Nov 2019 22:35:25 +0000
Subject: Add a Content-Security-Policy HTTP header that allows only CSS. This
 ensures that in a modern browser that understands the header, mandoc
 rendering bugs cannot possibly be interpreted as JavaScript. Patch from
 bentley@.

---
 cgi.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'cgi.c')

diff --git a/cgi.c b/cgi.c
index 18b9379e..6487bdcb 100644
--- a/cgi.c
+++ b/cgi.c
@@ -1,4 +1,4 @@
-/*	$Id: cgi.c,v 1.168 2019/10/01 17:54:14 schwarze Exp $ */
+/*	$Id: cgi.c,v 1.169 2019/11/10 22:35:25 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014-2019 Ingo Schwarze <schwarze@usta.de>
@@ -340,6 +340,8 @@ resp_begin_http(int code, const char *msg)
 
 	printf("Content-Type: text/html; charset=utf-8\r\n"
 	     "Cache-Control: no-cache\r\n"
+	     "Content-Security-Policy: default-src 'none'; "
+	     "style-src 'self' 'unsafe-inline'\r\n"
 	     "Pragma: no-cache\r\n"
 	     "\r\n");
 
-- 
cgit v1.2.3