[PATCH] Duplicate base css definitions in stylesheets

[PATCH] Duplicate base css definitions in stylesheets

[Konstantin Ryabitsev]

All pages carry the following inlined css declaration:

    <style>pre{white-space:pre-wrap}*{font-size:100%;font-family:monospace}</style>

However, site security policies may deliberately prohibit execution of
inline content such as scripts and stylesheets as an extra layer of
protection against XSS vulnerabilities. For example, with the following
HTTP headers returned by the server, the inline styles above will be
ignored:

    Content-Security-Policy: default-src 'self'

This causes public-inbox content to be rendered poorly on mobile devices
due to the default <pre> behaviour. Duplicating this declaration into
the contrib stylesheets makes sure that these styles are applied even
with the strictest security policies in place.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
 contrib/css/216dark.css  | 3 ++-
 contrib/css/216light.css | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/contrib/css/216dark.css b/contrib/css/216dark.css
index 02804cbd..1277a49a 100644
--- a/contrib/css/216dark.css
+++ b/contrib/css/216dark.css
@@ -5,7 +5,8 @@
  * It reduces eyestrain for me, and energy usage for all:
  * https://en.wikipedia.org/wiki/Light-on-dark_color_scheme
  */
-* { background:#000; color:#ccc }
+* { font-size: 100%; font-family: monospace; background:#000; color:#ccc }
+pre { white-space: pre-wrap }
 
 /*
  * Underlined links add visual noise which make them hard-to-read.
diff --git a/contrib/css/216light.css b/contrib/css/216light.css
index c66cfdfe..741214c9 100644
--- a/contrib/css/216light.css
+++ b/contrib/css/216light.css
@@ -4,7 +4,8 @@
  * Suitable for print, and blinding people with brightness.
  * Haphazardly thrown together because bright colors hurt my eyes
  */
-* { background:#fff; color:#333 }
+* { font-size: 100%; font-family: monospace; background:#fff; color:#333 }
+pre { white-space: pre-wrap }
 
 /*
  * Underlined links add visual noise which make them hard-to-read.

base-commit: 0a3bcc909a9b023755079ee57f347f33aac75d3e
-- 
2.31.1

Re: [PATCH] Duplicate base css definitions in stylesheets

[Eric Wong]

Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> All pages carry the following inlined css declaration:
> 
>     <style>pre{white-space:pre-wrap}*{font-size:100%;font-family:monospace}</style>
> 
> However, site security policies may deliberately prohibit execution of
> inline content such as scripts and stylesheets as an extra layer of
> protection against XSS vulnerabilities. For example, with the following
> HTTP headers returned by the server, the inline styles above will be
> ignored:
> 
>     Content-Security-Policy: default-src 'self'

Odd, I thought inline would be the most secure since there's no
chance of separate requests going to third parties...

> This causes public-inbox content to be rendered poorly on mobile devices
> due to the default <pre> behaviour. Duplicating this declaration into
> the contrib stylesheets makes sure that these styles are applied even
> with the strictest security policies in place.

Oh well :<   pushed as commit 86df4acd140d61ab2f82e8c17e3118865f867c9a

I've been looking forward to getting JMAP working (once the mind-twisting
inotify/IDLE synchronization stuff with lei is done); but not
sure how mobile clients handle it, if at all, yet.

Re: [PATCH] Duplicate base css definitions in stylesheets

[Konstantin Ryabitsev]

On Mon, Aug 16, 2021 at 10:21:48PM +0000, Eric Wong wrote:
> > However, site security policies may deliberately prohibit execution of
> > inline content such as scripts and stylesheets as an extra layer of
> > protection against XSS vulnerabilities. For example, with the following
> > HTTP headers returned by the server, the inline styles above will be
> > ignored:
> > 
> >     Content-Security-Policy: default-src 'self'
> 
> Odd, I thought inline would be the most secure since there's no
> chance of separate requests going to third parties...

For sites that accept untrusted user input (e.g. via query boxes or any other
input), default-src 'self' is the safest setting, because this requires an
attacker to be able to inject both a server-side entry that returns malicious
content *and* an in-page link, script, or img tag that would load it. It helps
eliminate reflected XSS as an attack vector entirely.

> > This causes public-inbox content to be rendered poorly on mobile devices
> > due to the default <pre> behaviour. Duplicating this declaration into
> > the contrib stylesheets makes sure that these styles are applied even
> > with the strictest security policies in place.
> 
> Oh well :<   pushed as commit 86df4acd140d61ab2f82e8c17e3118865f867c9a

Thank you!

-K