From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <konstantin@linuxfoundation.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS3215 2.6.0.0/16
X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham
	autolearn_force=no version=3.4.2
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by dcvr.yhbt.net (Postfix) with ESMTPS id 3293C1F8C6
	for <meta@public-inbox.org>; Tue, 17 Aug 2021 14:06:59 +0000 (UTC)
Received: by mail-qk1-x72c.google.com with SMTP id e14so23140924qkg.3
        for <meta@public-inbox.org>; Tue, 17 Aug 2021 07:06:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linuxfoundation.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=otxAXDERRRwNi/Z3TZQ5l6s1hYOs/gEUGwCG0nYybMY=;
        b=R28Ivq4myfG26GzF2GwXEdKGz+xIUAa0OIBYg6QOHEXwHtefVpwIs27ukqTc9ZajaO
         j4QFmf6OpCdkKQuggPc+fpfsp8OQoOr3R0Y5oqNggjCwRBhQuwBfxJcUSJ2ElyDWJxlX
         UuAcVedOpJJ8+2fHkGO9a1q9Sm2IMqgGU1acM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=otxAXDERRRwNi/Z3TZQ5l6s1hYOs/gEUGwCG0nYybMY=;
        b=P7W0RAa36NB2vuuQ78qCNrvzXeeh7oKEdx/J1ImizwdGF7pP5niTCyNm+0ScxUUWRr
         Y6BYldJdGZtUIzsiZa1Bb0SYk6jdaIuVNYR0mKU30aBOwOn8EKAwuG3plScAw4OwM0NT
         45uue84A7tuBLEb2lBUOV6Fx6PvMtYmUYM9phI8bS9tlYViFbTmMtHGKDGItFy+C4xGY
         2U7T247A3tiZtAbLEFG06SHEZ8Dav0Mt7yGfMMBx/oWX6vl+yLhMdUSxQFo0x3CtdhzN
         NAeE/0MUY8hPwX3cONR2JVPyyZNQ0Ji6r+k0dvSL23dj4Rl4x1aWEbZu/FDucot/0N2P
         Hr+w==
X-Gm-Message-State: AOAM532sIxAaF1yaJ3rPLOw+MmMDOR6w1u6b8cP5O37WNdF2IM38ZNVP
	MmL2WmkT/OEchg5SY2Dq4EnCfw==
X-Google-Smtp-Source: ABdhPJxTUs63tecjM8QZsKdWsq7oc1p22HifhsLcgI3KKbGszjCqfbbYyImswlqVZkiagcN9X0ET5A==
X-Received: by 2002:a05:620a:ce1:: with SMTP id c1mr4012784qkj.471.1629209217273;
        Tue, 17 Aug 2021 07:06:57 -0700 (PDT)
Received: from nitro.local ([89.36.78.230])
        by smtp.gmail.com with ESMTPSA id h2sm1550722qkf.106.2021.08.17.07.06.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 17 Aug 2021 07:06:56 -0700 (PDT)
Date: Tue, 17 Aug 2021 10:06:55 -0400
From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: Eric Wong <e@80x24.org>
Cc: meta@public-inbox.org
Subject: Re: [PATCH] Duplicate base css definitions in stylesheets
Message-ID: <20210817140655.n37dwchcyq3b5nth@nitro.local>
References: <20210816145015.2tbjqkozb6ezfkvj@nitro.local>
 <20210816222148.GA25044@dcvr>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20210816222148.GA25044@dcvr>
List-Id: <meta.public-inbox.org>

On Mon, Aug 16, 2021 at 10:21:48PM +0000, Eric Wong wrote:
> > However, site security policies may deliberately prohibit execution of
> > inline content such as scripts and stylesheets as an extra layer of
> > protection against XSS vulnerabilities. For example, with the following
> > HTTP headers returned by the server, the inline styles above will be
> > ignored:
> > 
> >     Content-Security-Policy: default-src 'self'
> 
> Odd, I thought inline would be the most secure since there's no
> chance of separate requests going to third parties...

For sites that accept untrusted user input (e.g. via query boxes or any other
input), default-src 'self' is the safest setting, because this requires an
attacker to be able to inject both a server-side entry that returns malicious
content *and* an in-page link, script, or img tag that would load it. It helps
eliminate reflected XSS as an attack vector entirely.

> > This causes public-inbox content to be rendered poorly on mobile devices
> > due to the default <pre> behaviour. Duplicating this declaration into
> > the contrib stylesheets makes sure that these styles are applied even
> > with the strictest security policies in place.
> 
> Oh well :<   pushed as commit 86df4acd140d61ab2f82e8c17e3118865f867c9a

Thank you!

-K