Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Further adjustments to the default CSP to allow in-line images. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
c184d646c3e07259092aa668e6bf7edb |
| User & Date: | drh 2021-03-03 17:21:03.292 |
Context
|
2021-03-03
| ||
| 17:24 | [/help/leaves|leaves command] now shows the branch point of each leaf, as discussed in [forum:5e52d31d2e]. check-in: d21e3c5a3a user: stephan tags: trunk | |
| 17:21 | Further adjustments to the default CSP to allow in-line images. check-in: c184d646c3 user: drh tags: trunk | |
| 16:41 | Relax the built-in CSP to remove all restrictions on the source of images. check-in: 025a007249 user: drh tags: trunk | |
Changes
Changes to src/db.c.
| ︙ | ︙ | |||
4216 4217 4218 4219 4220 4221 4222 | ** ** If this setting is an empty string or is omitted, then ** the following default Content Security Policy is used: ** ** default-src 'self' data:; ** script-src 'self' 'nonce-$nonce'; ** style-src 'self' 'unsafe-inline'; | | | 4216 4217 4218 4219 4220 4221 4222 4223 4224 4225 4226 4227 4228 4229 4230 | ** ** If this setting is an empty string or is omitted, then ** the following default Content Security Policy is used: ** ** default-src 'self' data:; ** script-src 'self' 'nonce-$nonce'; ** style-src 'self' 'unsafe-inline'; ** img-src * data:; ** ** The default CSP is recommended. The main reason to change ** this setting would be to add CDNs from which it is safe to ** load additional content. */ /* ** SETTING: uv-sync boolean default=off |
| ︙ | ︙ |
Changes to src/style.c.
| ︙ | ︙ | |||
545 546 547 548 549 550 551 | ** The CSP comes from the "default-csp" setting if it exists and ** is non-empty. If that setting is an empty string, then the following ** default is used instead: ** ** default-src 'self' data:; ** script-src 'self' 'nonce-$nonce'; ** style-src 'self' 'unsafe-inline'; | | | | 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 |
** The CSP comes from the "default-csp" setting if it exists and
** is non-empty. If that setting is an empty string, then the following
** default is used instead:
**
** default-src 'self' data:;
** script-src 'self' 'nonce-$nonce';
** style-src 'self' 'unsafe-inline';
** img-src * data:;
**
** The text '$nonce' is replaced by style_nonce() if and whereever it
** occurs in the input string.
**
** The string returned is obtained from fossil_malloc() and
** should be released by the caller.
*/
char *style_csp(int toHeader){
static const char zBackupCSP[] =
"default-src 'self' data:; "
"script-src 'self' 'nonce-$nonce'; "
"style-src 'self' 'unsafe-inline'; "
"img-src * data:";
const char *zFormat;
Blob csp;
char *zNonce;
char *zCsp;
int i;
if( disableCSP ) return fossil_strdup("");
zFormat = db_get("default-csp","");
|
| ︙ | ︙ |
Changes to www/defcsp.md.
| ︙ | ︙ | |||
24 25 26 27 28 29 30 |
The default CSP used by Fossil is as follows:
<pre>
default-src 'self' data:;
script-src 'self' 'nonce-$nonce';
style-src 'self' 'unsafe-inline';
| | | 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
The default CSP used by Fossil is as follows:
<pre>
default-src 'self' data:;
script-src 'self' 'nonce-$nonce';
style-src 'self' 'unsafe-inline';
img-src * data:;
</pre>
The default is recommended for most installations. However,
the site administrators can overwrite this default DSP using the
[default-csp setting](/help?cmd=default-csp). For example,
CSP restrictions can be completely disabled by setting the default-csp to:
|
| ︙ | ︙ |