Diff
Not logged in
Home Timeline Branches Tags Tickets Wiki Login
Annotate Patch Side-by-side Diff

Differences From Artifact [dfdac6a88e]:

To Artifact [fd1cd9c8d4]:

144
145
146
147
148
149
150
151
152

153
154
155
156
157
158
159

144
145
146
147
148
149
150

151
152
153
154
155
156
157
158
159








-

+









*   **[CGI server extensions][ext]:** Fossil exports the nonce to the
    CGI in the `FOSSIL_NONCE` environment variable, which it can then
    use in `<script>` elements it generates. Because these extensions
    can only be installed by the Fossil server’s system administrator,
    this path is also considered safe.

[su]:  ./admin-v-setup.md
[ext]: ./serverext.wiki
[su]:  ./caps/admin-v-setup.md#apsu


#### <a name="xss"></a>Cross-Site Scripting via Ordinary User Capabilities

We’re so restrictive about how we treat JavaScript because it can lead
to difficult-to-avoid scripting attacks. If we used the same CSP for
`<script>` tags [as for `<style>` tags](#style), anyone with check-in
Fossil version [1205ec86cb] 2025-04-30 16:57:32