Differences From Artifact [e86627fc1e]:
- File www/defcsp.md — part of check-in [3fec387cc3] at 2021-06-26 18:08:12 on branch trunk — Fix various documentation typos. (user: drh size: 21322) [more...]
To Artifact [f9d7c3c754]:
- File
www/defcsp.md
— part of check-in
[93cee1f56e]
at
2021-09-17 02:02:44
on branch trunk
— Converted all uses of the obsolete
named anchor feature from HTML before 4.0 to use fragment identifiers
instead. (www/* subtree only.)
Where possible, changed constructs like
<a name="foo"></a><h3>
to<h3 id="foo">
Also fixed a few cases where the link target came after a header so the browser would scroll the header off the screen when visiting the targeted section.
Added a 50em pad at the bottom of one such edited doc to allow the intra-doc link targets to be useful since it's a short enough doc that on sufficiently tall browser windows, scrolling isn't possible, so using those anchors has no visible effect. (user: wyoung size: 21298) [more...]
| ︙ | ︙ | |||
38 39 40 41 42 43 44 |
<pre>
default-src *;
</pre>
The following sections detail the maining of the default CSP setting.
| | | 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
<pre>
default-src *;
</pre>
The following sections detail the maining of the default CSP setting.
### <a id="base"></a> default-src 'self' data:
This policy means mixed-origin content isn’t allowed, so you can’t refer
to resources on other web domains. Browsers will ignore a link like the
one in the following Markdown under our default CSP:
|
| ︙ | ︙ | |||
75 76 77 78 79 80 81 | There are many other cases, [covered below](#serving). [b64]: https://en.wikipedia.org/wiki/Base64 [svr]: ./server/ | | | | | 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 |
There are many other cases, [covered below](#serving).
[b64]: https://en.wikipedia.org/wiki/Base64
[svr]: ./server/
### <a id="img"></a> img-src * data:
As of Fossil 2.15, we don’t restrict the source of inline images at all.
You can pull them in from remote systems as well as pull them from
within the Fossil repository itself, or use `data:` URIs.
If you are certain all images come from only within the repository, you
can close off certain risks — tracking pixels, broken image format
decoders, system dialog box spoofing, etc. — by changing this to
“`img-src 'self'`” possibly followed by “`data:`” if you will also use
`data:` URIs.
### <a id="style"></a> style-src 'self' 'unsafe-inline'
This policy allows CSS information to come from separate files hosted
under the Fossil repo server’s Internet domain. It also allows inline CSS
`<style>` tags within the document text.
The `'unsafe-inline'` declaration allows CSS within individual HTML
elements:
<p style="margin-left: 4em">Indented text.</p>
As the "`unsafe-`" prefix on the name implies, the `'unsafe-inline'`
feature is suboptimal for security. However, there are
a few places in the Fossil-generated HTML that benefit from this
flexibility and the work-arounds are verbose and difficult to maintain.
Furthermore, the harm that can be done with style injections is far
less than the harm possible with injected javascript. And so the
`'unsafe-inline'` compromise is accepted for now, though it might
go away in some future release of Fossil.
### <a id="script"></a> script-src 'self' 'nonce-%s'
This policy disables in-line JavaScript and only allows `<script>`
elements if the `<script>` includes a `nonce` attribute that matches the
one declared by the CSP. That nonce is a large random number, unique for
each HTTP page generated by Fossil, so an attacker cannot guess the
value, so the browser will ignore an attacker’s injected JavaScript.
|
| ︙ | ︙ | |||
152 153 154 155 156 157 158 |
can only be installed by the Fossil server’s system administrator,
this path is also considered safe.
[ext]: ./serverext.wiki
[su]: ./caps/admin-v-setup.md#apsu
| | | 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 |
can only be installed by the Fossil server’s system administrator,
this path is also considered safe.
[ext]: ./serverext.wiki
[su]: ./caps/admin-v-setup.md#apsu
#### <a id="xss"></a>Cross-Site Scripting via Ordinary User Capabilities
We’re so restrictive about how we treat JavaScript because it can lead
to difficult-to-avoid scripting attacks. If we used the same CSP for
`<script>` tags [as for `<style>` tags](#style), anyone with check-in
rights on your repository could add a JavaScript file to your repository
and then refer to it from other content added to the site. Since
JavaScript code can access any data from any URI served under its same
|
| ︙ | ︙ | |||
212 213 214 215 216 217 218 | through check-ins. [ed]: ./embeddeddoc.wiki [edtf]: ./embeddeddoc.wiki#th1 [hfed]: ./embeddeddoc.wiki#html | | | 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 |
through check-ins.
[ed]: ./embeddeddoc.wiki
[edtf]: ./embeddeddoc.wiki#th1
[hfed]: ./embeddeddoc.wiki#html
## <a id="serving"></a>Serving Files Within the Limits
There are several ways to serve files within the above restrictions,
avoiding the need to [override the default CSP](#override). In
decreasing order of simplicity and preference:
1. Within [embedded documentation][ed] (only!) you can refer to files
stored in the repo using document-relative file URLs:
|
| ︙ | ︙ | |||
303 304 305 306 307 308 309 | [tkt]: ./tickets.wiki [tn]: ./event.wiki [uu]: /help?cmd=/uv [uv]: ./unvers.wiki [wiki]: ./wikitheory.wiki | | | | 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 | [tkt]: ./tickets.wiki [tn]: ./event.wiki [uu]: /help?cmd=/uv [uv]: ./unvers.wiki [wiki]: ./wikitheory.wiki ## <a id="override"></a>Overriding the Default CSP If you wish to relax the default CSP’s restrictions or to tighten them further, there are multiple ways to accomplish that. The following methods are listed in top-down order to give the simplest and most straightforward method first. Further methods dig down deeper into the stack, which is helpful to understand even if you end up using a higher-level method. ### <a id="cspsetting"></a>The `default-csp` Setting If the [`default-csp` setting](/help?cmd=default-csp) is defined and is not an empty string, its value is injected into the page using [TH1](./th1.md) via one or more of the methods below, depending on the skin you’re using and local configuration. Changing this setting is the easiest way to set a nonstandard CSP on |
| ︙ | ︙ | |||
353 354 355 356 357 358 359 |
2. For more complicated CSPs, the quoting rules for your shell and the
CSP syntax may interact, making it difficult or impossible to set
your desired CSP via the command line. Setting it via the web UI
doesn’t have this problem.
| | | | | 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 |
2. For more complicated CSPs, the quoting rules for your shell and the
CSP syntax may interact, making it difficult or impossible to set
your desired CSP via the command line. Setting it via the web UI
doesn’t have this problem.
### <a id="th1"></a>TH1 Setup Hook
Fossil sets [the TH1 variable `$default_csp`][thvar] from the
`default-csp` setting and uses *that* to inject the value into generated
HTML pages in its stock configuration.
This means that another way you can override this value is to use
the [`th1-setup` hook script](./th1-hooks.md), which runs before TH1
processing happens during skin processing:
$ fossil set th1-setup "set default_csp {default-src 'self'}"
After [the above](#admin-ui), this is the cleanest method.
[thvar]: ./customskin.md#vars
### <a id="csrc"></a>Fossil C Source Code
When you do neither of the above things, Fossil uses
[a hard-coded default](/info?ln=527-530&name=65a555d0d4fb846b).
We tell you about this not to suggest that you hack the Fossil C source
code to change the CSP but simply to document the next step before we
move down-stack.
### <a id="header"></a>Skin Header
[In the normal case](./customskin.md#override), Fossil injects the CSP
retrieved by one of the above methods into the header of all HTML
documents it generates:
```HTML
<head>...
|
| ︙ | ︙ | |||
443 444 445 446 447 448 449 | `$default_csp` variable like the Bootstrap skin does so you can use one of the methods above with your custom skin, so the CSP can vary independently of the skin. [dcinj]: /info?ln=7&name=bef080a6929a3e6f | | | 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 | `$default_csp` variable like the Bootstrap skin does so you can use one of the methods above with your custom skin, so the CSP can vary independently of the skin. [dcinj]: /info?ln=7&name=bef080a6929a3e6f ### <a id="fep"></a>Front-End Proxy If your Fossil repo is behind some sort of HTTP [front-end proxy][svr], the [preferred method][pmcsp] for setting the CSP is via a custom HTTP header, which most HTTP reverse proxy programs allow. Beware that if you have a CSP set via both the HTTP and HTML headers that the two CSPs [merge](https://stackoverflow.com/a/51153816/142454), |
| ︙ | ︙ |