From 5d97220cdd4895642b1f572d034e4c26d6b8f235 Mon Sep 17 00:00:00 2001
From: "Anthony J. Bentley" <bentley@cvs.openbsd.org>
Date: Sun, 10 Nov 2019 22:18:02 +0000
Subject: Add a Content-Security-Policy HTTP header that allows only CSS.

This ensures that in a modern browser that understands the header,
mandoc rendering bugs cannot possibly be interpreted as JavaScript.

ok schwarze@
---
 usr.bin/mandoc/cgi.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'usr.bin')

diff --git a/usr.bin/mandoc/cgi.c b/usr.bin/mandoc/cgi.c
index 688b0e50728..346229bd6bd 100644
--- a/usr.bin/mandoc/cgi.c
+++ b/usr.bin/mandoc/cgi.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cgi.c,v 1.106 2019/10/01 17:54:04 schwarze Exp $ */
+/*	$OpenBSD: cgi.c,v 1.107 2019/11/10 22:18:01 bentley Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014-2019 Ingo Schwarze <schwarze@usta.de>
@@ -336,6 +336,8 @@ resp_begin_http(int code, const char *msg)
 
 	printf("Content-Type: text/html; charset=utf-8\r\n"
 	     "Cache-Control: no-cache\r\n"
+	     "Content-Security-Policy: default-src 'none'; "
+	     "style-src 'self' 'unsafe-inline'\r\n"
 	     "Pragma: no-cache\r\n"
 	     "\r\n");
 
-- 
cgit v1.2.3