Fossil

Check-in [1c4df5bf]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Reworked the new introductory material in defcsp.md to be less about the CSP as last-resort and more about being a secondary filter to our other measures. Gave examples to clarify the tensions that prevent a purely server-side solution from being a practical solution.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 1c4df5bf0a52724062aa50d0f698df86028cbfe046c1b01d72a782f497eaf723
User & Date: wyoung 2019-08-22 12:39:32
Context
2019-08-22
13:13
Expanded the discussion of in-repo and out-of-repo resource links in defcsp.md. check-in: 23fcd765 user: wyoung tags: trunk
12:39
Reworked the new introductory material in defcsp.md to be less about the CSP as last-resort and more about being a secondary filter to our other measures. Gave examples to clarify the tensions that prevent a purely server-side solution from being a practical solution. check-in: 1c4df5bf user: wyoung tags: trunk
11:54
"RaspberryPI" -> "Raspberry Pi" check-in: 5182be99 user: wyoung tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to www/defcsp.md.

1
2
3
4
5
6
7

8

9
10
11
12
13
14




15
16
17
18
19
20
21
22

23
24
25
26


27







28
29
30
31
32
33



34
35
36
37
38
39
40
# The Default Content Security Policy (CSP)

When Fossil’s web interface generates an HTML page, it
normally includes a [Content Security Policy][csp] (CSP)
in the `<head>`.
The CSP tells the browser what types of content (HTML, image, CSS,
JavaScript...) the document may reference and from where the

content may be sourced.


CSP is a security measure designed to prevent [cross-site scripting][xss]
(XSS) and other similar code injection attacks.
The CSP defines a “white list” of content types and origins that
are considered safe.  Any references to resources that are not
on the white list are ignored.





If Fossil were perfect and bug-free and never allowed any kind of
code injection on the pages it generates, then the CSP would not
be useful.  The Fossil developers are not aware of any defects
in Fossil that allow code injection, and will promptly fix any defects 
that are brought to their attention.  Lots of eyeballs are looking at
Fossil to find problems in the code, and the Fossil build process uses
custom static analysis techniques to help identify code injection problems

at compile-time.  Nevertheless, problems do sometimes (rarely) slip
through.  The CSP serves as a final line of defense, preventing
code injection defects in Fossil from turning into actual
vulnerabilities.










Fossil site administrators can [modify the default CSP](#override), perhaps
to add trusted external sources for auxiliary content.  But for maximum
safety, site developers are encouraged to work within the restrictions
imposed by the default CSP and avoid the temptation to relax the CSP
unless they fully understand the security implications of what they are
doing.




## The Default Restrictions

The Fossil default CSP declares the following content restrictions:


### <a name="base"></a> default-src 'self' data:


|
|
<
|
|
>
|
>

<
|
|
|
|
>
>
>
>

<
<
<
<
|
|
<
>
|
|
|
|
>
>

>
>
>
>
>
>
>






>
>
>







1
2
3
4

5
6
7
8
9
10

11
12
13
14
15
16
17
18
19




20
21

22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# The Default Content Security Policy (CSP)

When Fossil’s web interface generates an HTML page, it normally includes
a [Content Security Policy][csp] (CSP) in the `<head>`.  The CSP defines

a “white list” to tell the browser what types of content (HTML, images,
CSS, JavaScript...) the document may reference and the sources the
browser is allowed to pull such content from. The aim is to prevent
certain classes of [cross-site scripting][xss] (XSS) and code injection
attacks.  The browser will not pull content types disallowed by the CSP.


Fossil has built-in server-side content filtering logic. For example, it
purposely breaks `<script>` tags when it finds them in Markdown and
Fossil Wiki documents. (But not in [HTML-formatted embedded
docs][hfed]!) We also back that with multiple levels of analysis and
checks to find and fix content security problems: compile-time static
analysis, run-time dynamic analysis, and manual code inspection. Fossil
is open source software, so it benefits from the “[many
eyeballs][llaw],” limited by the size of its developer community.





However, there is a practical limit to the power of server-side
filtering and code quality practices.


First, there is an endless battle between those looking for clever paths
around such barriers and those erecting the barriers. The developers of
Fossil are committed to holding up our end of that fight, but this is,
to some extent, a reactive posture. It is cold comfort if Fossil’s
developers react quickly to a report of code injection — as we do! — if
the bad guys learn of it and start exploiting it first.

Second, Fossil has purposefully powerful features that are inherently
difficult to police from the server side: HTML [in wiki](/wiki_rules)
and [in Markdown](/md_rules) docs, [TH1 docs](./th1.md), etc.

Fossil’s strong default CSP adds client-side filtering to backstop our
server-side measures.

Fossil site administrators can [modify the default CSP](#override), perhaps
to add trusted external sources for auxiliary content.  But for maximum
safety, site developers are encouraged to work within the restrictions
imposed by the default CSP and avoid the temptation to relax the CSP
unless they fully understand the security implications of what they are
doing.

[llaw]: https://en.wikipedia.org/wiki/Linus%27s_Law


## The Default Restrictions

The Fossil default CSP declares the following content restrictions:


### <a name="base"></a> default-src 'self' data: