Download raw body.
gotwebd: add a CPS header?
related to the escaping thing i got into. The CPS (Content-Security-Policy) is an http header used to limit from where stuff can be fetched. in particular i think it can be useful to block the loading of scripts in case we fail to escape something. it should be (or at least i'm intending it as) a safety net. The policy i'm proposing is default-src 'self'; script-src 'none'; object-src 'none'; which should disallow the loading/execution of scripts and objects no matter where they come from and allow CSS, images, fonts and whatnot only from the same domain. Browsers that don't support it should just ignore the header. To be fair I'm not an expert here, i just read the "documentation"[0] and came up with that. It doesn't seem to be too hard fortunately and doesn't break gotwebd on firefox and chrome! [0]: https://content-security-policy.com/ diff 0e9860257eadd668942affe9f2846a6e09603e3b 7e814f82ceb21d9c11820872021b6c3915b3524c commit - 0e9860257eadd668942affe9f2846a6e09603e3b commit + 7e814f82ceb21d9c11820872021b6c3915b3524c blob - 4dfa5656c52bd7eff6cdc8b2196476bb8e664581 blob + 2b1445f32207f7b9c8c19e60f2c2bbf7adf89c78 --- gotwebd/gotweb.c +++ gotwebd/gotweb.c @@ -625,7 +625,13 @@ gotweb_free_transport(struct transport *t) const struct got_error * gotweb_render_content_type(struct request *c, const uint8_t *type) { - fcgi_printf(c, "Content-Type: %s\r\n\r\n", type); + const char *cps = "default-src 'self'; script-src 'none'; " + "object-src 'none';"; + + fcgi_printf(c, + "Content-Security-Policy: %s\r\n" + "Content-Type: %s\r\n\r\n", + cps, type); return NULL; }
gotwebd: add a CPS header?