Fossil

History of www/defcsp.md of f9fa692af911b66c
Login

History of www/defcsp.md of f9fa692af911b66c

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

History of file www/defcsp.md at check-in f9fa692af911b66c

2024-03-30
20:48
Removed all references to "Fossil 2.1x" from the docs, excepting the changelog and the hashpolicy doc. The bulk of these were for 2.14 or older — *ten* versions back now! — and there is no reason to suppose such old versions are still in use any more. These notes were justified when they informed users about surprising changes and feature additions, but they now do nothing but clutter the docs. If I am wrong about people being surprised by these things, we still have the changelog, the timeline, and the forum. ... (file: [9acc92726d] check-in: [ad47a447c8] user: wyoung branch: trunk, size: 21326)
2024-02-10
12:26
Removed a bunch of manual indents in pre blocks, MD fenced code blocks, etc. The skin does that for us now. ... (file: [76312fbb77] check-in: [2a7b1de356] user: wyoung branch: inskinerator-modern-backport, size: 21250)
2022-10-07
22:21
Fixed a few references to the obsolete tls-nginx.md doc. (It became part of the overall nginx.md server doc long ago.) ... (file: [67b48b4e32] check-in: [780b58bccf] user: wyoung branch: trunk, size: 21321)
2022-02-02
21:50
Fix typo in defcsp.md: DSP --> CSP ... (file: [81dabeac00] check-in: [9ce4dd0db2] user: mgagnon branch: trunk, size: 21298)
2021-09-17
02:02
Converted all uses of the [https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#attr-name | obsolete] named anchor feature from HTML before 4.0 to use fragment identifiers instead. (<tt>www/*</tt> subtree only.) Where possible, changed constructs like <verbatim><a name="foo"></a><h3></verbatim> to <verbatim><h3 id="foo"></verbatim> Also fixed a few cases where the link target came after a header so the browser would scroll the header off the screen when visiting the targeted section. Added a 50em pad at the bottom of one such edited doc to allow the intra-doc link targets to be useful since it's a short enough doc that on sufficiently tall browser windows, scrolling isn't possible, so using those anchors has no visible effect. ... (file: [f9d7c3c754] check-in: [93cee1f56e] user: wyoung branch: trunk, size: 21298)
2021-06-26
18:08
Fix various documentation typos. ... (file: [e86627fc1e] check-in: [3fec387cc3] user: drh branch: trunk, size: 21322)
2021-06-19
20:58
This should demonstrate a behavior of inline STYLE tags. Notice gray background of PRE elements in [/doc/inline-style-inconsistency/www/defcsp.md|www/defcsp.md] and the lack of it in [/doc/inline-style-inconsistency/www/webui.wiki|www/webui.wiki]. See forum [forum:/forumthread/69f475cf48|thread 69f475cf48]. ... (file: [c455c8c80c] check-in: [1d276f7b23] user: george branch: inline-style-inconsistency, size: 21411)
2021-03-04
16:40
Added a section to the default CSP doc to document the changes made recently to that default CSP. ... (file: [adbd044f32] check-in: [ab029e40ec] user: wyoung branch: trunk, size: 21323)
2021-03-03
17:21
Further adjustments to the default CSP to allow in-line images. ... (file: [9f8993c40b] check-in: [c184d646c3] user: drh branch: trunk, size: 20778)
16:41
Relax the built-in CSP to remove all restrictions on the source of images. ... (file: [9613dcdf63] check-in: [025a007249] user: drh branch: trunk, size: 20772)
2021-01-12
16:00
Fix typos in Markdown and Wiki pages. ... (file: [7f8e9746a0] check-in: [e755561d73] user: danield branch: trunk, size: 21678)
2020-07-23
22:35
Rewrote the section "Overriding the Default CSP" in the defcsp.md doc. Although it's hard to see from the diffs, it largly just adds more detail to what it already said. ... (file: [bf70e389d1] check-in: [896aa05649] user: wyoung branch: trunk, size: 21677)
17:39
Update documentation on CSP to point the user to the default-csp setting. ... (file: [8e0109bcf4] check-in: [f5778d0d91] user: drh branch: trunk, size: 18055)
2020-04-08
18:53
Fix typo in default-src direcive spec. ... (file: [e2467d7aad] check-in: [f64f757eda] user: ashepilko branch: trunk, size: 17612)
2019-10-01
16:57
Correction and clarification of the use of unsafe-inline for style in the "defcsp.md" document. ... (file: [5afba0dd38] check-in: [baecb63d9b] user: drh branch: trunk, size: 17614)
13:44
Several small tweaks to defcsp.md ... (file: [45554c5ebc] check-in: [e73901f15c] user: wyoung branch: trunk, size: 17747)
2019-09-04
00:58
Merged caps-doc branch down to trunk, improving documentation of user capabilities in Fossil. ... (file: [fd1cd9c8d4] check-in: [779ddefa19] user: wyoung branch: trunk, size: 17576)
2019-09-02
23:26
Added a new section to www/defcsp.md, "Serving Files Within the Limits". It pulls together a bit of info already in the document on the topic and then expands it considerably. The overall message is, "You probably don't have to override the default CSP." ... (file: [dfdac6a88e] check-in: [58883eccea] user: wyoung branch: trunk, size: 17566)
2019-08-29
00:17
Fixed some URLs still referring to admin-v-setup.md in its old location. ... (file: [5b493dbbe9] check-in: [182c4d7abc] user: wyoung branch: caps-doc, size: 15246)
2019-08-22
14:14
Added bullet list detailing the sources for <script nonce=""> from a Fossil server and the reasons we consider each path safe. ... (file: [74d25cc0a4] check-in: [91377ae432] user: wyoung branch: trunk, size: 15236)
13:31
Reworked the material explaining why in-page <style> is currently allowed by Fossil's default CSP to make it clearer that this is most likely a temporary situation and that local custom CSS should go in the skin instead. ... (file: [08cb78abe3] check-in: [092eeebf40] user: wyoung branch: trunk, size: 13923)
13:13
Expanded the discussion of in-repo and out-of-repo resource links in defcsp.md. ... (file: [85d32e367b] check-in: [23fcd765f6] user: wyoung branch: trunk, size: 13594)
12:39
Reworked the new introductory material in defcsp.md to be less about the CSP as last-resort and more about being a secondary filter to our other measures. Gave examples to clarify the tensions that prevent a purely server-side solution from being a practical solution. ... (file: [9707510681] check-in: [1c4df5bf0a] user: wyoung branch: trunk, size: 12351)
2019-08-21
11:26
Update to the default CSP page. Attempted to resolve merge conflicts, but more editting is likely necessary. ... (file: [f125487e07] check-in: [33a7b8babe] user: drh branch: trunk, size: 11693)
11:09
Added a header to the new XSS material in defcsp.md so we can refer directly to it. ... (file: [6dafd8bc95] check-in: [7b843f2d43] user: wyoung branch: trunk, size: 11744)
11:01
More thorough explanation of <script nonce> in www/defcsp.md, and explained the reason why Fossil has no way of providing that nonce in most content types rather than link to the "XSS via check-in rights" forum post. This new presentation of that post's ideas is more detailed and includes discussion of the feature's interaction with the TH1 docs feature. ... (file: [cebd4bed5c] check-in: [8d43bb8786] user: wyoung branch: trunk, size: 11667)
09:40
Major improvements to the new defcsp.md article. Expanded the introductory material to better describe what the CSP does; added named anchors to headers; moved the discussion of $default_csp overrides into this document from customskin.md, which now just says how you use that variable read-only; and added an entirely new section, "Replacing the Default CSP". ... (file: [6b0134aeea] check-in: [366b23a180] user: wyoung branch: trunk, size: 8116)
2019-08-20
06:34
Merged in trunk improvements ... (file: [df3a1620a7] check-in: [42d28c0286] user: wyoung branch: server-docs, size: 3697)
04:07
Added www/defcsp.md, which documents the default Content Security Policy applied by Fossil to the HTML pages it serves. Linked that into embeddeddoc.wik and customskin.md, which touched on this topic before but didn't go into much detail. ... (file: [9b0930d291] check-in: [4e6d36d7d4] user: wyoung branch: trunk, size: 3701)