diff options
| author | Anthony J. Bentley <bentley@cvs.openbsd.org> | 2019-11-10 22:18:02 +0000 |
|---|---|---|
| committer | Anthony J. Bentley <bentley@cvs.openbsd.org> | 2019-11-10 22:18:02 +0000 |
| commit | 5d97220cdd4895642b1f572d034e4c26d6b8f235 (patch) | |
| tree | b30aa13fc6c8725740a98fa41951caa1449a5a0d /usr.bin/mandoc | |
| parent | 8dfdefe5357f9642fcf1e9ac3ba31d177073ee59 (diff) | |
Add a Content-Security-Policy HTTP header that allows only CSS.
This ensures that in a modern browser that understands the header,
mandoc rendering bugs cannot possibly be interpreted as JavaScript.
ok schwarze@
Diffstat (limited to 'usr.bin/mandoc')
| -rw-r--r-- | usr.bin/mandoc/cgi.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.bin/mandoc/cgi.c b/usr.bin/mandoc/cgi.c index 688b0e50728..346229bd6bd 100644 --- a/usr.bin/mandoc/cgi.c +++ b/usr.bin/mandoc/cgi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cgi.c,v 1.106 2019/10/01 17:54:04 schwarze Exp $ */ +/* $OpenBSD: cgi.c,v 1.107 2019/11/10 22:18:01 bentley Exp $ */ /* * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2014-2019 Ingo Schwarze <schwarze@usta.de> @@ -336,6 +336,8 @@ resp_begin_http(int code, const char *msg) printf("Content-Type: text/html; charset=utf-8\r\n" "Cache-Control: no-cache\r\n" + "Content-Security-Policy: default-src 'none'; " + "style-src 'self' 'unsafe-inline'\r\n" "Pragma: no-cache\r\n" "\r\n"); |