On Sun 5 June 2011 Matt McCutchen wrote: > On Sun 2011-06-05 at 15:33 +0200 Jakub Narebski wrote: >> On Sun 5 July 2011 Matt McCutchen wrote: >>> On Sun 2011-06-05 at 11:03 +0200 Jakub Narebski wrote: >> >>>> In the future however it might be better solution for gitweb to implement >>>> (as an option) support for CSP (Content Security Policy) which IIRC did >>>> not exists in 2009 in addition to current $prevent_xss. >>> >>> Sure. CSP is not a substitute for designing to prevent harmful HTML >>> injection but a mitigation for some of its worst effects in case some >>> injection points are overlooked. There's no reason not to enable it by >>> default with $prevent_xss though third parties adding functionality to >>> gitweb would need to know to disable it or modify the policy >>> accordingly. >> >> I propose CSP support _in addition to_ and not replacing $prevent_xss >> (which would be nice to have more fine-grained control over). >> >> Well while we can whitelist HTML fragment from README.html or render >> README.md / README.rs / README.pod etc. instead of blocking it like gitweb >> currently does if $prevent_xss is enabled I don't think it would be >> feasible to do the same for text/html 'blob_plain' pages. >> >> Serving HTML pages etc. from 'blob_plain' view with path_info links >> is quite useful feature; this way one can use gitweb as a cheap and easy >> way to deploy web pages > > Yes. > >> and web apps; > > Probably not: the browser features needed to make a nontrivial web app > are probably the same ones that are dangerous to other web apps. "Deploying" with gitweb doesn't allow for server-side scripting, so it is "web apps" only as far as there can be web application done entirely on client-side: HTML or HTML5 + JavaScript. Well, there is demo of a game played in HTML5+JavaScript played entirely in URL bar ;-) With CSP you would be restricted to prerequisites (web page itself, scripts, stylesheets, images) to be also hosted/deployed via gitweb. What features would non server-side nontrivial web app need that would be dangerous to other web apps? >> or just test results of development. >> CSP would serve this purpose well; current $prevent_xss behavior of >> serving as attachment (forcing download) or serving them as text/plain >> as e.g. GitHub does simply remove this feature. > > CSP is not intended to be used by itself as a sandbox although it might > almost work for the purpose. It would be more appropriate to set up a > wildcard virtual host and appropriate rewrite rules to expose each > repository at a different DNS name and take advantage of the usual > same-origin policy. Could this virtualhost + DNS + same-origin sandboxing be used for gitweb? If not, then perhaps it is better solution in other cases, but not for gitweb. P.S. I don't know how difficult implementing CSP support for gitweb would be, given that gitweb is quite configurable wrt. external resources it uses: $javascript, @stylesheets, various *logo variables... -- Jakub Narebski Poland -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html