From: Omar Polo <op@omarpolo.com>
Subject: gotwebd: add a CPS header?
To: gameoftrees@openbsd.org
Date: Fri, 19 Aug 2022 20:08:15 +0200

related to the escaping thing i got into.  The CPS
(Content-Security-Policy) is an http header used to limit from where
stuff can be fetched.

in particular i think it can be useful to block the loading of scripts
in case we fail to escape something.  it should be (or at least i'm
intending it as) a safety net.

The policy i'm proposing is

	default-src 'self'; script-src 'none'; object-src 'none';

which should disallow the loading/execution of scripts and objects no
matter where they come from and allow CSS, images, fonts and whatnot
only from the same domain.  Browsers that don't support it should just
ignore the header.

To be fair I'm not an expert here, i just read the "documentation"[0]
and came up with that.  It doesn't seem to be too hard fortunately and
doesn't break gotwebd on firefox and chrome!

[0]: https://content-security-policy.com/

diff 0e9860257eadd668942affe9f2846a6e09603e3b 7e814f82ceb21d9c11820872021b6c3915b3524c
commit - 0e9860257eadd668942affe9f2846a6e09603e3b
commit + 7e814f82ceb21d9c11820872021b6c3915b3524c
blob - 4dfa5656c52bd7eff6cdc8b2196476bb8e664581
blob + 2b1445f32207f7b9c8c19e60f2c2bbf7adf89c78
--- gotwebd/gotweb.c
+++ gotwebd/gotweb.c
@@ -625,7 +625,13 @@ gotweb_free_transport(struct transport *t)
 const struct got_error *
 gotweb_render_content_type(struct request *c, const uint8_t *type)
 {
-	fcgi_printf(c, "Content-Type: %s\r\n\r\n", type);
+	const char *cps = "default-src 'self'; script-src 'none'; "
+		"object-src 'none';";
+
+	fcgi_printf(c,
+	    "Content-Security-Policy: %s\r\n"
+	    "Content-Type: %s\r\n\r\n",
+	    cps, type);
 	return NULL;
 }