Add a Content-Security-Policy HTTP header that allows only CSS.

This ensures that in a modern browser that understands the header, mandoc rendering bugs cannot possibly be interpreted as JavaScript. Patch from bentley@.
author: Ingo Schwarze <schwarze@openbsd.org> 2019-11-10 22:35:25 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2019-11-10 22:35:25 +0000
commit: 89d32b9120ed7de9fe5283abc537b21bd0b8bde9 (patch)
tree: 51a599e27ff9de2097ae2659cf7dfef37e8e82d8 /cgi.c
parent: 801eeff8b3b3dd958ffde4c2edb1022fa8660937 (diff)
download: mandoc-89d32b9120ed7de9fe5283abc537b21bd0b8bde9.tar.gz
mandoc-89d32b9120ed7de9fe5283abc537b21bd0b8bde9.tar.zst
mandoc-89d32b9120ed7de9fe5283abc537b21bd0b8bde9.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/cgi.c b/cgi.c
index 18b9379e..6487bdcb 100644
--- a/cgi.c
+++ b/cgi.c
@@ -1,4 +1,4 @@
-/*	$Id: cgi.c,v 1.168 2019/10/01 17:54:14 schwarze Exp $ */
+/*	$Id: cgi.c,v 1.169 2019/11/10 22:35:25 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014-2019 Ingo Schwarze <schwarze@usta.de>
@@ -340,6 +340,8 @@ resp_begin_http(int code, const char *msg)
 
 	printf("Content-Type: text/html; charset=utf-8\r\n"
 	     "Cache-Control: no-cache\r\n"
+	     "Content-Security-Policy: default-src 'none'; "
+	     "style-src 'self' 'unsafe-inline'\r\n"
 	     "Pragma: no-cache\r\n"
 	     "\r\n");
author	Ingo Schwarze <schwarze@openbsd.org>	2019-11-10 22:35:25 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2019-11-10 22:35:25 +0000
commit	89d32b9120ed7de9fe5283abc537b21bd0b8bde9 (patch)
tree	51a599e27ff9de2097ae2659cf7dfef37e8e82d8 /cgi.c
parent	801eeff8b3b3dd958ffde4c2edb1022fa8660937 (diff)
download	mandoc-89d32b9120ed7de9fe5283abc537b21bd0b8bde9.tar.gz mandoc-89d32b9120ed7de9fe5283abc537b21bd0b8bde9.tar.zst mandoc-89d32b9120ed7de9fe5283abc537b21bd0b8bde9.zip