Re: [PATCH] Duplicate base css definitions in stylesheets

unofficial mirror of meta@public-inbox.org
 help / color / mirror / Atom feed

From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: Eric Wong <e@80x24.org>
Cc: meta@public-inbox.org
Subject: Re: [PATCH] Duplicate base css definitions in stylesheets
Date: Tue, 17 Aug 2021 10:06:55 -0400	[thread overview]
Message-ID: <20210817140655.n37dwchcyq3b5nth@nitro.local> (raw)
In-Reply-To: <20210816222148.GA25044@dcvr>

On Mon, Aug 16, 2021 at 10:21:48PM +0000, Eric Wong wrote:
> > However, site security policies may deliberately prohibit execution of
> > inline content such as scripts and stylesheets as an extra layer of
> > protection against XSS vulnerabilities. For example, with the following
> > HTTP headers returned by the server, the inline styles above will be
> > ignored:
> > 
> >     Content-Security-Policy: default-src 'self'
> 
> Odd, I thought inline would be the most secure since there's no
> chance of separate requests going to third parties...

For sites that accept untrusted user input (e.g. via query boxes or any other
input), default-src 'self' is the safest setting, because this requires an
attacker to be able to inject both a server-side entry that returns malicious
content *and* an in-page link, script, or img tag that would load it. It helps
eliminate reflected XSS as an attack vector entirely.

> > This causes public-inbox content to be rendered poorly on mobile devices
> > due to the default <pre> behaviour. Duplicating this declaration into
> > the contrib stylesheets makes sure that these styles are applied even
> > with the strictest security policies in place.
> 
> Oh well :<   pushed as commit 86df4acd140d61ab2f82e8c17e3118865f867c9a

Thank you!

-K

     prev parent reply	other threads:[~2021-08-17 14:06 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-16 14:50 [PATCH] Duplicate base css definitions in stylesheets Konstantin Ryabitsev
2021-08-16 22:21 ` Eric Wong
2021-08-17 14:06   ` Konstantin Ryabitsev [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://public-inbox.org/README

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210817140655.n37dwchcyq3b5nth@nitro.local \
    --to=konstantin@linuxfoundation.org \
    --cc=e@80x24.org \
    --cc=meta@public-inbox.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).