> On 30 Oct 2017, at 12:52, Richard Hipp <d...@sqlite.org> wrote: > > On 10/18/17, Richard Hipp <d...@sqlite.org> wrote: >> On 10/18/17, Warren Young <war...@etr-usa.com> wrote: >>> On Oct 18, 2017, at 3:44 AM, Warren Young <war...@etr-usa.com> wrote: >>>> >>>> The more web apps that ship with stringent Content-Security-Policy >>>> headers, the fewer arguments we’ll have for allowing JS on web pages. >> >> I'd never heard of Content-Security-Policy before. A quick scan >> suggests that I need to modify Fossil to make use of it. >> >> Target policy: default-src: 'self' >> >> That means, no more in-line javascript, which will be a hassle to work >> around. I'll have to add a "/fossil.js" resource that contains >> various scripts and insert the JSON data used to drive those scripts >> as <script type='text/json'> elements, apparently. > > Discussion moved from fossil-users. > > I read in the WSJ today that companies are increasing using web > proxies to limit access to the internet, in an effort to keep malware > under control. Apparently 94% of companies with between 1000 and 5000 > employees use web proxies. There was no mention of CSP in the article > (geared at a non-technical CTO audience), but I'm guessing that, if > they have not started doing so already, web proxies will soon begin > limiting access to websites based on CSP. Hence, it seems important > to transition Fossil over to a restrictive CSP setting, post 2.4, so > that it will continue to be usable from behind web proxies.
Just in case it's of help, I wrote some notes on a similar "old style to CSP" conversion I did a few years back: https://bens.me.uk/2012/content-security-policy Ben _______________________________________________ fossil-dev mailing list fossil-dev@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev