modernize innreport HTML

Russ Allbery eagle at eyrie.org
Fri May 15 17:08:34 UTC 2020


Julien ÉLIE <julien at trigofacile.com> writes:

> Hi Richard,

>> The current design is broken when served over HTTPS or when the
>> webserver has a content security policy. The attached patch fixes both
>> issues.

> Why don't you use the html_css_url parameter in innreport.conf?
> # html_css_url    "innreport.css";

> If set, the HTML page will already contain:
> <link rel="stylesheet" type="text/css" media="all" href="$css_url"/>

> I don't see well the use case of your patch.

Inline styles are not allowed by a (good) Content-Security-Policy because
they're vulnerable to XSS.  It's become common practice to always
externalize all CSS into a separate file.  I think that's the intent of
this patch.

In other words, the goal is to generate an external CSS file in the normal
case where the user has not defined a custom style.  (I haven't looked in
detail to see if this patch is the best way of doing that.)

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list