From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: Eric Wong <e@80x24.org>
Cc: meta@public-inbox.org
Subject: Re: [PATCH] Duplicate base css definitions in stylesheets
Date: Tue, 17 Aug 2021 10:06:55 -0400 [thread overview]
Message-ID: <20210817140655.n37dwchcyq3b5nth@nitro.local> (raw)
In-Reply-To: <20210816222148.GA25044@dcvr>
On Mon, Aug 16, 2021 at 10:21:48PM +0000, Eric Wong wrote:
> > However, site security policies may deliberately prohibit execution of
> > inline content such as scripts and stylesheets as an extra layer of
> > protection against XSS vulnerabilities. For example, with the following
> > HTTP headers returned by the server, the inline styles above will be
> > ignored:
> >
> > Content-Security-Policy: default-src 'self'
>
> Odd, I thought inline would be the most secure since there's no
> chance of separate requests going to third parties...
For sites that accept untrusted user input (e.g. via query boxes or any other
input), default-src 'self' is the safest setting, because this requires an
attacker to be able to inject both a server-side entry that returns malicious
content *and* an in-page link, script, or img tag that would load it. It helps
eliminate reflected XSS as an attack vector entirely.
> > This causes public-inbox content to be rendered poorly on mobile devices
> > due to the default <pre> behaviour. Duplicating this declaration into
> > the contrib stylesheets makes sure that these styles are applied even
> > with the strictest security policies in place.
>
> Oh well :< pushed as commit 86df4acd140d61ab2f82e8c17e3118865f867c9a
Thank you!
-K
prev parent reply other threads:[~2021-08-17 14:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-16 14:50 [PATCH] Duplicate base css definitions in stylesheets Konstantin Ryabitsev
2021-08-16 22:21 ` Eric Wong
2021-08-17 14:06 ` Konstantin Ryabitsev [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210817140655.n37dwchcyq3b5nth@nitro.local \
--to=konstantin@linuxfoundation.org \
--cc=e@80x24.org \
--cc=meta@public-inbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).