# The Default Content Security Policy (CSP)

When Fossil’s web interface generates an HTML page, it
normally includes a [Content Security Policy][csp] (CSP)
in the `<head>`.
which applies to all content on that page. The CSP tells the browser
which types of content (HTML, image, CSS, JavaScript...) the repository
is expected to serve, and thus which types of content a compliant
The CSP tells the browser what types of content (HTML, image, CSS,
JavaScript...) the document may reference and from where the
content may be sourced.
browser is allowed to pay attention to. All of the major browsers
enforce CSP restrictions.

A CSP is an important security measure on any site where some of the
content it serves is user-provided. It defines a “white list” of content
types believed to be safe and desirable, so that if any content outside
CSP is a security measure designed to prevent [cross-site scripting][xss]
(XSS) and other similar code injection attacks.
The CSP defines a “white list” of content types and origins that
are considered safe.  Any references to resources that are not
of that definition gets inserted into the repository later, the browser
will treat that unwanted content as if it was not part of the document
at all.
on the white list are ignored.

If Fossil were perfect and bug-free and never allowed any kind of
code injection on the pages it generates, then the CSP would not
A CSP is a fairly blunt tool. It cannot tell good and visually appealing
enhancements from vandalism or outright attacks. All it does is tell the
browser what types and sources for page content were anticipated by the
site’s creators. The browser treats everything else as “unwanted” even
if that’s not actually true. When the CSP prevents the browser from
be useful.  The Fossil developers are not aware of any defects
in Fossil that allow code injection, and will promptly fix any defects 
that are brought to their attention.  Lots of eyeballs are looking at
Fossil to find problems in the code, and the Fossil build process uses
custom static analysis techniques to help identify code injection problems
at compile-time.  Nevertheless, problems do sometimes (rarely) slip
through.  The CSP serves as a final line of defense, preventing
displaying wanted content, you then have to understand the current rules
and what they’re trying to accomplish to decide on [an appropriate
workaround](#override).
code injection defects in Fossil from turning into actual
vulnerabilities.

Fossil site administrators can [modify the default CSP](#override), perhaps
to add trusted external sources for auxiliary content.  But for maximum
safety, site developers are encouraged to work within the restrictions
imposed by the default CSP and avoid the temptation to relax the CSP
unless they fully understand the security implications of what they are
doing.

## The Default Restrictions

The Fossil default CSP declares the following content restrictions:


### <a name="base"></a> default-src 'self' data
### <a name="base"></a> default-src 'self' data:

This policy means mixed-origin content isn’t allowed, so you can’t refer to
resources (images, style-sheets, and scripts) on other web domains.
resources on other web domains, so the following Markdown for an inline
Hence the following Markdown for an inline
image hosted on another site will cause a CSP error:

         ![fancy 3D Fossil logotype](https://i.imgur.com/HalpMgt.png)

This policy allows inline `data:` URIs, which means you could
The default policy does allows inline `data:` URIs, which means you could
[data-encode][de] your image content and put it inline within the
document:

         ![small inline image](data:image/gif;base64,R0lGODlh...)

That method is best used for fairly small resources. Large `data:` URIs
are hard to read and edit. Keep in mind that if you put such a thing
into a Fossil forum post, anyone subscribed to email alerts will get a
copy of the raw URI text, which is really ugly.

For larger files, you could instead store the file in Fossil as:
For larger images in [embedded documentation](./embeddeddoc.wiki) you
store the image as a separate file in the Fossil repository and reference
it via a relative URI.

*   **versioned content** retrieved via a [`/raw`](/help?cmd=/raw) URL
*   **[unversioned content](./unvers.wiki)** retrieved
    via a [`/uv`](/help?cmd=/uv) URL
         ![large inline image](./inlineimage.jpg)

Another path around this restriction is to [serve your
repo](./server/) behind an HTTP proxy server, allowing mixed-mode
content serving, with static images and such served directly by the HTTP
server and the dynamic content by Fossil. That allows a URI scheme that
prevents the browser’s CSP enforcement from distinguishing content from
Fossil proper and that from the front-end proxy.

Any content from the same domain as the Fossil repository will work fine.
So if the Fossil repository is but one path in a larger website, it will
be able reference other static resources within that same website.  It
can also reference [unversioned content](./unvers.wiki).  However, as
unversioned content and content outside of the Fossil repository itself
will not be transferred by [sync](/help?cmd=sync), the references probably
will not work in clones of your repository.

### <a name="style"></a> style-src 'self' 'unsafe-inline'

This policy allows CSS information to come from separate files in the
This policy means CSS files can only come from the Fossil server or via
same domain of the Fossil server, or for CSS to be embedded inline within
a front-end proxy as in the inline image workarounds above. It also says
that inline CSS is disallowed; this will give a CSP error:
the document text.

        <p style="margin-left: 4em">Some bit of indented text</p>

In practice, this means you must put your CSS into [the “CSS” section of
The `'unsafe-inline'` element means that an injection vulnerability in
Fossil would allow an attacker to modify the CSS for a Fossil-generated
page.  This is not ideal, but nor is it as dangerous as allowing
a custom skin][cs], not inline within Markdown, Wiki, or
HTML tags. You can refer to specific tags in the document through “`id`”
and “`class`” attributes.

injected javascript to run, and Fossil uses of in-line CSS
The reason for this restriction might not be obvious, but the risks boil
down to this: CSS is sufficiently powerful that if someone can apply
their CSS to your site, they can make it say things you don’t want it to
for things like setting background colors in timelines and defining
say, hide important information, and more. Thus, we restrict all CSS to
come from trusted channels only.

line widths in bar graphs on the [Activity Reports](/reports) page, 
We do currently trust CSS checked into the repository as a file, but
that stance might be overly-trusting, so we might revoke it later, as we
do for JavaScript:

so it seems like in-line CSS is a necessary compromise at this time.

### <a name="script"></a> script-src 'self' 'nonce-%s'

This policy means HTML `<script>` tags are only allowed to be emitted
into the output HTML by Fossil C or TH1 code, because only code running
in those contexts can insert the correct “nonce” tag attribute, matching
the one declared in the CSP.¹ Since the nonce is a very large random
number that changes on each HTTP hit Fossil handles, it is effectively
unguessable, which prevents attackers from inserting `<script>` tags
This policy disables in-line javascript and only allows `<script>`
elements if the `<script>` includes a `nonce=` attribute the
matches the %s section of the CSP.  Fossil provides a different
random nonce for every page it generates, and since an attacker has
no way of predicting what that nonce will be, the attacker is unable
to inject working javascript.
statically.

For documents generated by the [CGI extensions](./serverext.wiki), the
This means the workarounds given above will not work for JavaScript.
value of the nonce is accessible in the FOSSIL_NONCE environment variable.
Under this policy, the only JavaScript that Fossil can serve is that
which it directly provided.

TH1 scripts that run while generating the header or footer can access
Users with the all-powerful Setup capability can insert arbitrary
JavaScript by [defining a custom skin][cs], adding it to the skin’s
the nonce in the $nonce variable.  The JavaScript section of a
“JavaScript” section, which has the random nonce automatically inserted
by Fossil when it serves the page. This is how the JS backing the
default skin’s [hamburger menu](./customskin.md#menu) works.

[custom skin][cs] automatically includes the appropriate nonce.

#### <a name="xss"></a>Cross-Site Scripting via Ordinary User Capabilities

We’re so restrictive about how we treat JavaScript because it can lead
to difficult-to-avoid scripting attacks. If we used the same CSP for
`<script>` tags [as for `<style>` tags](#style), anyone with check-in
rights on your repository could add a JavaScript file to your repository

[ed]:   ./embeddeddoc.wiki
[edtf]: ./embeddeddoc.wiki#th1
[fp]:   ./forum.wiki
[hfed]: ./embeddeddoc.wiki#html
[tkt]:  ./tickets.wiki
[tn]:   ./event.wiki
[wiki]: ./wikitheory.wiki


## <a name="override"></a>Replacing the Default CSP

If you wish to relax the default CSP’s restrictions or to tighten them
further, there are two ways to accomplish that:

    stock skins. With Fossil 2.10, the stock Bootstrap skin uses
    `$default_csp` instead, so you can [override it as above](#th1).


[cs]:    ./customskin.md
[csp]:   https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
[de]:    https://dopiaza.org/tools/datauri/index.php
[xss]:   https://en.wikipedia.org/wiki/Cross-site_scripting
[xssci]: https://fossil-scm.org/forum/forumpost/e7c386b21f