inn-workers Digest, Vol 119, Issue 3

[inn-workers-request]

Send inn-workers mailing list submissions to
        inn-workers@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
        inn-workers-requ...@lists.isc.org

You can reach the person managing the list at
        inn-workers-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."


Today's Topics:

   1. Re: modernize innreport HTML (Julien ?LIE)
   2. Re: modernize innreport HTML (Richard Kettlewell)
   3. Re: modernize innreport HTML (Russ Allbery)
   4. Re: modernize innreport HTML (Julien ?LIE)
   5. Re: modernize innreport HTML (Richard Kettlewell)
   6. Re: modernize innreport HTML (Julien ?LIE)
   7. Re: modernize innreport HTML (Russ Allbery)


----------------------------------------------------------------------

Message: 1
Date: Fri, 15 May 2020 18:31:59 +0200
From: Julien ?LIE <jul...@trigofacile.com>
To: inn-workers@lists.isc.org, r...@terraraq.uk
Subject: Re: modernize innreport HTML
Message-ID: <3c13afc6-da27-67a1-74ce-c064dff6f...@trigofacile.com>
Content-Type: text/plain; charset=utf-8; format=flowed

Hi Richard,

> The current design is broken when served over HTTPS or when the 
> webserver has a content security policy. The attached patch fixes both 
> issues.

Why don't you use the html_css_url parameter in innreport.conf?
# html_css_url    "innreport.css";

If set, the HTML page will already contain:
<link rel="stylesheet" type="text/css" media="all" href="$css_url"/>

I don't see well the use case of your patch.



If html_xhtml11_icon and html_vcss_icon are not set in innreport.conf, 
the two icons won't be present in the generated web page, will them?  So 
it does not matter to keep the feature for those who want I think.

-- 
Julien ?LIE

??H?te-toi de bien vivre et songe que chaque jour est ? lui seul une
   vie.?? (S?n?que)


------------------------------

Message: 2
Date: Fri, 15 May 2020 17:50:14 +0100
From: Richard Kettlewell <r...@terraraq.uk>
To: Julien ?LIE <jul...@trigofacile.com>, inn-workers@lists.isc.org
Subject: Re: modernize innreport HTML
Message-ID: <c869a925-d044-8fd5-03a6-c6da9b333...@terraraq.uk>
Content-Type: text/plain; charset=utf-8

Without the patch the default behavior does not work properly in modern
web server configrations. The embedded CSS is ignored and the embedded
images caused a mixed context security warning.

Obviously a deployment can fix this up one way or another (in my case, I
patch at build time) but I think the generated HTML ought to work "out
of the box" rather than requiring operator attention.

ttfn/rjk

On 15/05/2020 17:31, Julien ?LIE wrote:
> Hi Richard,
> 
>> The current design is broken when served over HTTPS or when the
>> webserver has a content security policy. The attached patch fixes both
>> issues.
> 
> Why don't you use the html_css_url parameter in innreport.conf?
> # html_css_url??? "innreport.css";
> 
> If set, the HTML page will already contain:
> <link rel="stylesheet" type="text/css" media="all" href="$css_url"/>
> 
> I don't see well the use case of your patch.
> 
> 
> 
> If html_xhtml11_icon and html_vcss_icon are not set in innreport.conf,
> the two icons won't be present in the generated web page, will them?? So
> it does not matter to keep the feature for those who want I think.
> 


ttfn/rjk


------------------------------

Message: 3
Date: Fri, 15 May 2020 10:08:34 -0700
From: Russ Allbery <ea...@eyrie.org>
To: inn-work...@isc.org
Subject: Re: modernize innreport HTML
Message-ID: <878shtm8h9....@hope.eyrie.org>
Content-Type: text/plain; charset=utf-8

Julien ?LIE <jul...@trigofacile.com> writes:

> Hi Richard,

>> The current design is broken when served over HTTPS or when the
>> webserver has a content security policy. The attached patch fixes both
>> issues.

> Why don't you use the html_css_url parameter in innreport.conf?
> # html_css_url    "innreport.css";

> If set, the HTML page will already contain:
> <link rel="stylesheet" type="text/css" media="all" href="$css_url"/>

> I don't see well the use case of your patch.

Inline styles are not allowed by a (good) Content-Security-Policy because
they're vulnerable to XSS.  It's become common practice to always
externalize all CSS into a separate file.  I think that's the intent of
this patch.

In other words, the goal is to generate an external CSS file in the normal
case where the user has not defined a custom style.  (I haven't looked in
detail to see if this patch is the best way of doing that.)

-- 
Russ Allbery (ea...@eyrie.org)             <https://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.


------------------------------

Message: 4
Date: Fri, 15 May 2020 20:19:08 +0200
From: Julien ?LIE <jul...@trigofacile.com>
To: Richard Kettlewell <r...@terraraq.uk>, inn-workers@lists.isc.org
Subject: Re: modernize innreport HTML
Message-ID: <37d5e1d7-2504-21e0-ad4a-1547176af...@trigofacile.com>
Content-Type: text/plain; charset=utf-8; format=flowed


Hi Richard,

> Without the patch the default behavior does not work properly in modern
> web server configrations. The embedded CSS is ignored and the embedded
> images caused a mixed context security warning.
> 
> Obviously a deployment can fix this up one way or another (in my
> case, I patch at build time) but I think the generated HTML ought to
> work "out of the box" rather than requiring operator attention.
Then why wouldn't we switch the default behaviour to just enable 
html_css_url in innreport.conf instead of commenting it, and remove 
legacy inline code for css:
# html_css_url    "innreport.css";

innreport.css is already installed by INN in <pathhttp>:
Makefile -> $D$(PATHHTTP)/innreport.css

-- 
Julien ?LIE

??H?te-toi de bien vivre et songe que chaque jour est ? lui seul une
   vie.?? (S?n?que)


------------------------------

Message: 5
Date: Fri, 15 May 2020 19:30:21 +0100
From: Richard Kettlewell <r...@terraraq.uk>
To: Julien ?LIE <jul...@trigofacile.com>, inn-workers@lists.isc.org
Subject: Re: modernize innreport HTML
Message-ID: <c3fc3766-5673-0289-bc1d-a1d0440f6...@terraraq.uk>
Content-Type: text/plain; charset=utf-8; format=flowed

On 15/05/2020 19:19, Julien ?LIE wrote:
> 
> Hi Richard,
> 
>> Without the patch the default behavior does not work properly in modern
>> web server configrations. The embedded CSS is ignored and the embedded
>> images caused a mixed context security warning.
>>
>> Obviously a deployment can fix this up one way or another (in my
>> case, I patch at build time) but I think the generated HTML ought to
>> work "out of the box" rather than requiring operator attention.
> Then why wouldn't we switch the default behaviour to just enable 
> html_css_url in innreport.conf instead of commenting it, and remove 
> legacy inline code for css:
> # html_css_url??? "innreport.css";
> 
> innreport.css is already installed by INN in <pathhttp>:
> Makefile -> $D$(PATHHTTP)/innreport.css

You could do that, yes

ttfn/rjk


------------------------------

Message: 6
Date: Fri, 15 May 2020 20:39:27 +0200
From: Julien ?LIE <jul...@trigofacile.com>
To: inn-workers@lists.isc.org
Subject: Re: modernize innreport HTML
Message-ID: <b5558809-c56f-da21-985e-221c33dcc...@trigofacile.com>
Content-Type: text/plain; charset=utf-8; format=flowed

Hi Russ,

>> Why don't you use the html_css_url parameter in innreport.conf?
>> # html_css_url    "innreport.css";
>> 
>> If set, the HTML page will already contain:
>> <link rel="stylesheet" type="text/css" media="all" href="$css_url"/>
>> 
>> I don't see well the use case of your patch.
> 
> Inline styles are not allowed by a (good) Content-Security-Policy because
> they're vulnerable to XSS.  It's become common practice to always
> externalize all CSS into a separate file.  I think that's the intent of
> this patch.
> 
> In other words, the goal is to generate an external CSS file in the normal
> case where the user has not defined a custom style.  (I haven't looked in
> detail to see if this patch is the best way of doing that.)

We already have an external CSS file installed by default (which 
contains the same style as the one that is generated inline):
   https://inn.eyrie.org/trac/browser/trunk/samples/innreport.css
   https://inn.eyrie.org/trac/changeset/8170

I believe we should just use that innreport.css file by default (instead 
of generating this external CSS file when innreport is run).
Is there something I am missing?

Fresh INN installations will have the new behaviour.
Updates will keep the legacy behaviour unless they manually enable 
html_css_url in innreport.conf.  Richard's patch permits to force that 
behaviour directly (which is an advantage).  Maybe we should do both 
(change default behaviour and apply Richard's patch).

-- 
Julien ?LIE

??H?te-toi de bien vivre et songe que chaque jour est ? lui seul une
   vie.?? (S?n?que)


------------------------------

Message: 7
Date: Fri, 15 May 2020 11:41:26 -0700
From: Russ Allbery <ea...@eyrie.org>
To: inn-work...@isc.org
Subject: Re: modernize innreport HTML
Message-ID: <87wo5dkpm1....@hope.eyrie.org>
Content-Type: text/plain; charset=utf-8

Julien ?LIE <jul...@trigofacile.com> writes:

> We already have an external CSS file installed by default (which contains
> the same style as the one that is generated inline):
>   https://inn.eyrie.org/trac/browser/trunk/samples/innreport.css
>   https://inn.eyrie.org/trac/changeset/8170

Oh, that's the bit I'd missed.

> I believe we should just use that innreport.css file by default (instead
> of generating this external CSS file when innreport is run).
> Is there something I am missing?

Nope, that sounds good to me.

> Fresh INN installations will have the new behaviour.
> Updates will keep the legacy behaviour unless they manually enable
> html_css_url in innreport.conf.  Richard's patch permits to force that
> behaviour directly (which is an advantage).  Maybe we should do both
> (change default behaviour and apply Richard's patch).

I suspect that we can skip the part of the patch that constructs the CSS
file and count on the fact that we're shipping a copy, but otherwise doing
both sounds good to me.  I don't think we need to support both inline and
external styles; we can just convert everyone to external styles on
upgrade.

-- 
Russ Allbery (ea...@eyrie.org)             <https://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.


------------------------------

Subject: Digest Footer

_______________________________________________
inn-workers mailing list
inn-workers@lists.isc.org
https://lists.isc.org/mailman/listinfo/inn-workers


------------------------------

End of inn-workers Digest, Vol 119, Issue 3
*******************************************