modernize innreport HTML
Russ Allbery
eagle at eyrie.org
Fri May 15 17:08:34 UTC 2020
Julien ÉLIE <julien at trigofacile.com> writes:
> Hi Richard,
>> The current design is broken when served over HTTPS or when the
>> webserver has a content security policy. The attached patch fixes both
>> issues.
> Why don't you use the html_css_url parameter in innreport.conf?
> # html_css_url "innreport.css";
> If set, the HTML page will already contain:
> <link rel="stylesheet" type="text/css" media="all" href="$css_url"/>
> I don't see well the use case of your patch.
Inline styles are not allowed by a (good) Content-Security-Policy because
they're vulnerable to XSS. It's become common practice to always
externalize all CSS into a separate file. I think that's the intent of
this patch.
In other words, the goal is to generate an external CSS file in the normal
case where the user has not defined a custom style. (I haven't looked in
detail to see if this patch is the best way of doing that.)
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers
mailing list