138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
recommend that you do your own CSS modifications [via the skin][cs]
rather than depend on the ability to insert `<script>` blocks into
individual pages.
### <a name="script"></a> script-src 'self' 'nonce-%s'
This policy disables in-line javascript and only allows `<script>`
elements if the `<script>` includes a `nonce=` attribute the
matches the %s section of the CSP. Fossil provides a different
random nonce for every page it generates, and since an attacker has
no way of predicting what that nonce will be, the attacker is unable
to inject working javascript.
For documents generated by the [CGI extensions][ext], the
value of the nonce is accessible in the FOSSIL_NONCE environment variable.
TH1 scripts that run while generating the header or footer can access
the nonce in the $nonce variable. The JavaScript section of a
[custom skin][cs] automatically includes the appropriate nonce.
|
|
|
>
>
>
|
>
>
|
>
>
>
>
>
>
>
>
>
>
|
>
>
>
>
>
>
>
|
>
>
|
|
|
>
>
|
>
|
|
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
|
recommend that you do your own CSS modifications [via the skin][cs]
rather than depend on the ability to insert `<script>` blocks into
individual pages.
### <a name="script"></a> script-src 'self' 'nonce-%s'
This policy disables in-line JavaScript and only allows `<script>`
elements if the `<script>` includes a `nonce` attribute that matches the
one declared by the CSP. That nonce is a large random number, unique for
each HTTP page generated by Fossil, so an attacker cannot guess the
value, so the browser will ignore an attacker’s injected JavaScript.
That nonce can only come from one of three sources, all of which should
be protected at the system administration level on the Fossil server:
* **Fossil server C code:** All code paths in Fossil that emit
`<script>` elements include the `nonce` attribute. There are several
cases, such as the “JavaScript” section of a [custom skin][cs].
That text is currently inserted into each HTML page generated by
Fossil,¹ which means it needs to include a `nonce` attribute to
allow it to run under this default CSP. We consider JavaScript
emitted via these paths to be safe because it’s audited by the
Fossil developers. We assume that you got your Fossil server’s code
from a trustworthy source and that an attacker cannot replace your
Fossil server binary.
* **TH1 code:** The Fossil TH1 interpreter pre-defines the [`$nonce`
variable](./th1.md#nonce) for use in [custom skins][cs]. For
example, some of the stock skins that ship with Fossil include a
wall clock feature up in the corner that updates once a minute.
These paths are safe in the default Fossil configuration because
only the [all-powerful Setup user][su] can write TH1 code that
executes in the server’s running context.
There is, however, [a default-disabled path](#xss) to beware of,
covered in the next section.
* **[CGI server extensions][ext]:** Fossil exports the nonce to the
CGI in the `FOSSIL_NONCE` environment variable, which it can then
use in `<script>` elements it generates. Because these extensions
can only be installed by the Fossil server’s system administrator,
this path is also considered safe.
[su]: ./admin-v-setup.md
#### <a name="xss"></a>Cross-Site Scripting via Ordinary User Capabilities
We’re so restrictive about how we treat JavaScript because it can lead
to difficult-to-avoid scripting attacks. If we used the same CSP for
`<script>` tags [as for `<style>` tags](#style), anyone with check-in
rights on your repository could add a JavaScript file to your repository
|
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
|
------------
**Asides and Digressions:**
1. There is actually a third context that can correctly insert this
nonce attribute: [a CGI server extension][ext], by use of
the `FOSSIL_NONCE` variable sent to the CGI by Fossil.
2. The stock Bootstrap skin does actually include a `<head>` tag, but
from Fossil 2.7 through Fossil 2.9, it just repeated the same CSP
text that Fossil’s C code inserts into the HTML header for all other
stock skins. With Fossil 2.10, the stock Bootstrap skin uses
`$default_csp` instead, so you can [override it as above](#th1).
[cs]: ./customskin.md
[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
[de]: https://dopiaza.org/tools/datauri/index.php
[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
[xssci]: https://fossil-scm.org/forum/forumpost/e7c386b21f
|
|
|
|
<
|
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
|
------------
**Asides and Digressions:**
1. Fossil might someday switch to serving the “JavaScript” section of a
custom skin as a virtual text file, allowing it to be cached by the
browser, reducing page load times.
2. The stock Bootstrap skin does actually include a `<head>` tag, but
from Fossil 2.7 through Fossil 2.9, it just repeated the same CSP
text that Fossil’s C code inserts into the HTML header for all other
stock skins. With Fossil 2.10, the stock Bootstrap skin uses
`$default_csp` instead, so you can [override it as above](#th1).
[cs]: ./customskin.md
[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
[de]: https://dopiaza.org/tools/datauri/index.php
[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
|