diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2019-11-10 22:35:25 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2019-11-10 22:35:25 +0000 |
commit | 89d32b9120ed7de9fe5283abc537b21bd0b8bde9 (patch) | |
tree | 51a599e27ff9de2097ae2659cf7dfef37e8e82d8 /cgi.c | |
parent | 801eeff8b3b3dd958ffde4c2edb1022fa8660937 (diff) | |
download | mandoc-89d32b9120ed7de9fe5283abc537b21bd0b8bde9.tar.gz mandoc-89d32b9120ed7de9fe5283abc537b21bd0b8bde9.tar.zst mandoc-89d32b9120ed7de9fe5283abc537b21bd0b8bde9.zip |
Add a Content-Security-Policy HTTP header that allows only CSS.
This ensures that in a modern browser that understands the header,
mandoc rendering bugs cannot possibly be interpreted as JavaScript.
Patch from bentley@.
Diffstat (limited to 'cgi.c')
-rw-r--r-- | cgi.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $Id: cgi.c,v 1.168 2019/10/01 17:54:14 schwarze Exp $ */ +/* $Id: cgi.c,v 1.169 2019/11/10 22:35:25 schwarze Exp $ */ /* * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2014-2019 Ingo Schwarze <schwarze@usta.de> @@ -340,6 +340,8 @@ resp_begin_http(int code, const char *msg) printf("Content-Type: text/html; charset=utf-8\r\n" "Cache-Control: no-cache\r\n" + "Content-Security-Policy: default-src 'none'; " + "style-src 'self' 'unsafe-inline'\r\n" "Pragma: no-cache\r\n" "\r\n"); |