144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
* **[CGI server extensions][ext]:** Fossil exports the nonce to the
CGI in the `FOSSIL_NONCE` environment variable, which it can then
use in `<script>` elements it generates. Because these extensions
can only be installed by the Fossil server’s system administrator,
this path is also considered safe.
[su]: ./admin-v-setup.md
|
<
>
|
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
* **[CGI server extensions][ext]:** Fossil exports the nonce to the
CGI in the `FOSSIL_NONCE` environment variable, which it can then
use in `<script>` elements it generates. Because these extensions
can only be installed by the Fossil server’s system administrator,
this path is also considered safe.
[ext]: ./serverext.wiki
[su]: ./caps/admin-v-setup.md#apsu
#### <a name="xss"></a>Cross-Site Scripting via Ordinary User Capabilities
We’re so restrictive about how we treat JavaScript because it can lead
to difficult-to-avoid scripting attacks. If we used the same CSP for
`<script>` tags [as for `<style>` tags](#style), anyone with check-in
|