unofficial mirror of meta@public-inbox.org
 help / color / mirror / Atom feed
* [PATCH] Duplicate base css definitions in stylesheets
@ 2021-08-16 14:50 Konstantin Ryabitsev
  2021-08-16 22:21 ` Eric Wong
  0 siblings, 1 reply; 3+ messages in thread
From: Konstantin Ryabitsev @ 2021-08-16 14:50 UTC (permalink / raw)
  To: meta

All pages carry the following inlined css declaration:

    <style>pre{white-space:pre-wrap}*{font-size:100%;font-family:monospace}</style>

However, site security policies may deliberately prohibit execution of
inline content such as scripts and stylesheets as an extra layer of
protection against XSS vulnerabilities. For example, with the following
HTTP headers returned by the server, the inline styles above will be
ignored:

    Content-Security-Policy: default-src 'self'

This causes public-inbox content to be rendered poorly on mobile devices
due to the default <pre> behaviour. Duplicating this declaration into
the contrib stylesheets makes sure that these styles are applied even
with the strictest security policies in place.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
 contrib/css/216dark.css  | 3 ++-
 contrib/css/216light.css | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/contrib/css/216dark.css b/contrib/css/216dark.css
index 02804cbd..1277a49a 100644
--- a/contrib/css/216dark.css
+++ b/contrib/css/216dark.css
@@ -5,7 +5,8 @@
  * It reduces eyestrain for me, and energy usage for all:
  * https://en.wikipedia.org/wiki/Light-on-dark_color_scheme
  */
-* { background:#000; color:#ccc }
+* { font-size: 100%; font-family: monospace; background:#000; color:#ccc }
+pre { white-space: pre-wrap }
 
 /*
  * Underlined links add visual noise which make them hard-to-read.
diff --git a/contrib/css/216light.css b/contrib/css/216light.css
index c66cfdfe..741214c9 100644
--- a/contrib/css/216light.css
+++ b/contrib/css/216light.css
@@ -4,7 +4,8 @@
  * Suitable for print, and blinding people with brightness.
  * Haphazardly thrown together because bright colors hurt my eyes
  */
-* { background:#fff; color:#333 }
+* { font-size: 100%; font-family: monospace; background:#fff; color:#333 }
+pre { white-space: pre-wrap }
 
 /*
  * Underlined links add visual noise which make them hard-to-read.

base-commit: 0a3bcc909a9b023755079ee57f347f33aac75d3e
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] Duplicate base css definitions in stylesheets
  2021-08-16 14:50 [PATCH] Duplicate base css definitions in stylesheets Konstantin Ryabitsev
@ 2021-08-16 22:21 ` Eric Wong
  2021-08-17 14:06   ` Konstantin Ryabitsev
  0 siblings, 1 reply; 3+ messages in thread
From: Eric Wong @ 2021-08-16 22:21 UTC (permalink / raw)
  To: Konstantin Ryabitsev; +Cc: meta

Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> All pages carry the following inlined css declaration:
> 
>     <style>pre{white-space:pre-wrap}*{font-size:100%;font-family:monospace}</style>
> 
> However, site security policies may deliberately prohibit execution of
> inline content such as scripts and stylesheets as an extra layer of
> protection against XSS vulnerabilities. For example, with the following
> HTTP headers returned by the server, the inline styles above will be
> ignored:
> 
>     Content-Security-Policy: default-src 'self'

Odd, I thought inline would be the most secure since there's no
chance of separate requests going to third parties...

> This causes public-inbox content to be rendered poorly on mobile devices
> due to the default <pre> behaviour. Duplicating this declaration into
> the contrib stylesheets makes sure that these styles are applied even
> with the strictest security policies in place.

Oh well :<   pushed as commit 86df4acd140d61ab2f82e8c17e3118865f867c9a

I've been looking forward to getting JMAP working (once the mind-twisting
inotify/IDLE synchronization stuff with lei is done); but not
sure how mobile clients handle it, if at all, yet.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] Duplicate base css definitions in stylesheets
  2021-08-16 22:21 ` Eric Wong
@ 2021-08-17 14:06   ` Konstantin Ryabitsev
  0 siblings, 0 replies; 3+ messages in thread
From: Konstantin Ryabitsev @ 2021-08-17 14:06 UTC (permalink / raw)
  To: Eric Wong; +Cc: meta

On Mon, Aug 16, 2021 at 10:21:48PM +0000, Eric Wong wrote:
> > However, site security policies may deliberately prohibit execution of
> > inline content such as scripts and stylesheets as an extra layer of
> > protection against XSS vulnerabilities. For example, with the following
> > HTTP headers returned by the server, the inline styles above will be
> > ignored:
> > 
> >     Content-Security-Policy: default-src 'self'
> 
> Odd, I thought inline would be the most secure since there's no
> chance of separate requests going to third parties...

For sites that accept untrusted user input (e.g. via query boxes or any other
input), default-src 'self' is the safest setting, because this requires an
attacker to be able to inject both a server-side entry that returns malicious
content *and* an in-page link, script, or img tag that would load it. It helps
eliminate reflected XSS as an attack vector entirely.

> > This causes public-inbox content to be rendered poorly on mobile devices
> > due to the default <pre> behaviour. Duplicating this declaration into
> > the contrib stylesheets makes sure that these styles are applied even
> > with the strictest security policies in place.
> 
> Oh well :<   pushed as commit 86df4acd140d61ab2f82e8c17e3118865f867c9a

Thank you!

-K

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-08-17 14:06 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-16 14:50 [PATCH] Duplicate base css definitions in stylesheets Konstantin Ryabitsev
2021-08-16 22:21 ` Eric Wong
2021-08-17 14:06   ` Konstantin Ryabitsev

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).