From: Eric Wong <e@80x24.org>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: meta@public-inbox.org
Subject: Re: [PATCH] Duplicate base css definitions in stylesheets
Date: Mon, 16 Aug 2021 22:21:48 +0000 [thread overview]
Message-ID: <20210816222148.GA25044@dcvr> (raw)
In-Reply-To: <20210816145015.2tbjqkozb6ezfkvj@nitro.local>
Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> All pages carry the following inlined css declaration:
>
> <style>pre{white-space:pre-wrap}*{font-size:100%;font-family:monospace}</style>
>
> However, site security policies may deliberately prohibit execution of
> inline content such as scripts and stylesheets as an extra layer of
> protection against XSS vulnerabilities. For example, with the following
> HTTP headers returned by the server, the inline styles above will be
> ignored:
>
> Content-Security-Policy: default-src 'self'
Odd, I thought inline would be the most secure since there's no
chance of separate requests going to third parties...
> This causes public-inbox content to be rendered poorly on mobile devices
> due to the default <pre> behaviour. Duplicating this declaration into
> the contrib stylesheets makes sure that these styles are applied even
> with the strictest security policies in place.
Oh well :< pushed as commit 86df4acd140d61ab2f82e8c17e3118865f867c9a
I've been looking forward to getting JMAP working (once the mind-twisting
inotify/IDLE synchronization stuff with lei is done); but not
sure how mobile clients handle it, if at all, yet.
next prev parent reply other threads:[~2021-08-16 22:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-16 14:50 [PATCH] Duplicate base css definitions in stylesheets Konstantin Ryabitsev
2021-08-16 22:21 ` Eric Wong [this message]
2021-08-17 14:06 ` Konstantin Ryabitsev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210816222148.GA25044@dcvr \
--to=e@80x24.org \
--cc=konstantin@linuxfoundation.org \
--cc=meta@public-inbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).