On 10/18/17, Richard Hipp <d...@sqlite.org> wrote: > On 10/18/17, Warren Young <war...@etr-usa.com> wrote: >> On Oct 18, 2017, at 3:44 AM, Warren Young <war...@etr-usa.com> wrote: >>> >>> The more web apps that ship with stringent Content-Security-Policy >>> headers, the fewer arguments we’ll have for allowing JS on web pages. > > I'd never heard of Content-Security-Policy before. A quick scan > suggests that I need to modify Fossil to make use of it. > > Target policy: default-src: 'self' > > That means, no more in-line javascript, which will be a hassle to work > around. I'll have to add a "/fossil.js" resource that contains > various scripts and insert the JSON data used to drive those scripts > as <script type='text/json'> elements, apparently.
Discussion moved from fossil-users. I read in the WSJ today that companies are increasing using web proxies to limit access to the internet, in an effort to keep malware under control. Apparently 94% of companies with between 1000 and 5000 employees use web proxies. There was no mention of CSP in the article (geared at a non-technical CTO audience), but I'm guessing that, if they have not started doing so already, web proxies will soon begin limiting access to websites based on CSP. Hence, it seems important to transition Fossil over to a restrictive CSP setting, post 2.4, so that it will continue to be usable from behind web proxies. We are probably still a few years away from this, but I'm guessing that Chrome and Firefox will start popping up warnings for websites that lack restrictive CSP at some point. We want to be ahead of that curve. -- D. Richard Hipp d...@sqlite.org _______________________________________________ fossil-dev mailing list fossil-dev@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev
