From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 7ECFE1F8C6; Mon, 16 Aug 2021 22:21:48 +0000 (UTC) Date: Mon, 16 Aug 2021 22:21:48 +0000 From: Eric Wong To: Konstantin Ryabitsev Cc: meta@public-inbox.org Subject: Re: [PATCH] Duplicate base css definitions in stylesheets Message-ID: <20210816222148.GA25044@dcvr> References: <20210816145015.2tbjqkozb6ezfkvj@nitro.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210816145015.2tbjqkozb6ezfkvj@nitro.local> List-Id: Konstantin Ryabitsev wrote: > All pages carry the following inlined css declaration: > > > > However, site security policies may deliberately prohibit execution of > inline content such as scripts and stylesheets as an extra layer of > protection against XSS vulnerabilities. For example, with the following > HTTP headers returned by the server, the inline styles above will be > ignored: > > Content-Security-Policy: default-src 'self' Odd, I thought inline would be the most secure since there's no chance of separate requests going to third parties... > This causes public-inbox content to be rendered poorly on mobile devices > due to the default 
 behaviour. Duplicating this declaration into
> the contrib stylesheets makes sure that these styles are applied even
> with the strictest security policies in place.

Oh well :<   pushed as commit 86df4acd140d61ab2f82e8c17e3118865f867c9a

I've been looking forward to getting JMAP working (once the mind-twisting
inotify/IDLE synchronization stuff with lei is done); but not
sure how mobile clients handle it, if at all, yet.