Add Content Security Policy to default

[mozfreddyb]

This CSP intends to prevent pwnie attacks as seen in https://docs.rs/pwnies/0.0.14/pwnies/

The idea is that we don't allow script tags with inline scripts. And no scripts from JSfiles unless they are hosted in the same origin.
(We also have to disallow plugins (Java, Flash) because they do weird things with the Same Origin Policy)

This might leave in an attack where a crate contains the JS file itself though?

[rust-highfive]

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @QuietMisdreavus (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

[rust-highfive]

The job x86_64-gnu-llvm-3.9 of your PR failed on Travis (raw log). Through arcane magic we have determined that the following fragments from the build log may contain information about the problem.

Click to expand the log.

 [00:05:20] travis_fold:start:tidy travis_time:start:tidy tidy check [00:05:20] tidy error: /checkout/src/librustdoc/html/layout.rs:45: line longer than 100 chars [00:05:22] some tidy checks failed [00:05:22] [00:05:22] [00:05:22] command did not execute successfully: "/checkout/obj/build/x86_64-unknown-linux-gnu/stage0-tools-bin/tidy" "/checkout/src" "/checkout/obj/build/x86_64-unknown-linux-gnu/stage0/bin/cargo" "--no-vendor" "--quiet" [00:05:22] [00:05:22] [00:05:22] failed to run: /checkout/obj/build/bootstrap/debug/bootstrap test src/tools/tidy [00:05:22] Build completed unsuccessfully in 0:02:07 [00:05:22] Build completed unsuccessfully in 0:02:07 [00:05:22] Makefile:79: recipe for target 'tidy' failed [00:05:22] make: *** [tidy] Error 1 The command "stamp sh -x -c "$RUN_SCRIPT"" exited with 2. travis_time:start:1210f789 $ date && (curl -fs --head https://google.com | grep ^Date: | sed 's/Date: //g' || true) 

I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact @TimNN. (Feature Requests)

[GuillaumeGomez]

I'm opposed to this PR. This has been debated before and the conclusion was more or less that abusers would get blacklisted.

[QuietMisdreavus]

@hdevalence @isislovecruft since y'all were the ones who popularized linking in JS - Would a CSP like this allow you to do what you needed?

(I don't fully understand CSP so i'll need everyone else to describe what's going on... >_>)

[killercup]

This will break people who use KaTeX in their docs, right?

[ollie27]

docs.rs definitely needs to set a CSP. I don't think it's right for rustdoc to have one by default, especially if it can't be disabled.

[killercup]

@ollie27 Yes, I'd expect a hosted service like docs.rs to set a CSP via the HTTP header. I'd also expect it to have a (documented) set of domains that it actually does allow to load resources from – e.g. CDNs like cdn.jsdelivr.net so people can include KaTeX without adding its source to their crate.

[GuillaumeGomez]

No, KaTeX wouldn't work anymore. And I think the same: CSP should be up to the host, not to rustdoc.

[hdevalence]

At a glance, I think this change will break our docs on https://doc.dalek.rs and https://doc-internal.dalek.rs .

IMO the root of the pwnies problem isn't JS in docs, it's about the fact that docs.rs builds arbitrary code from anyone with a Github account, and then serves the results to all of its users. Adding a CSP header to rustdoc doesn't really fix that, but it does break a bunch of legitimate reasons to inject JS into documentation.

[isislovecruft]

Hi! My recommendation to the awesome people running the docs.rs server was to set a CSP and whitelist some common CDNs. I'm uncertain whether rustdoc should be setting the CSP policy, but it might not be the worst idea?

Pros:

• Individual hosts can actually override this by setting their own CSP in the HTTP response headers sent by their server.
• I think this wouldn't actually break our docs (either on https://doc.dalek.rs or https://doc-internal.dalek.rs), other than it would break some 3rd party images we've got (badges for versions and Travis status and such).

Cons:

• Lots of folks use CDNs and various 3rd party APIs for lots things, like shields.io, api.travis-ci.org, api.github.com, crates.io, etc, so disabling all of that (as @killercup mentioned) by default then forces the host admins to whitelist every single thing anyone might use.
• As mentioned by @mozfreddyb a user could still upload javascript in their crate. (They'd actually only need to do it once, and then they'd forever be able to link to the past doc build's copy. Also anyone else can link it.)

[mozfreddyb]

Thank you folks for helping me getting a better picture of the issue at hand.
For example, I wasn't aware that people use KaTeX in their docs.

I'll come up with a better plan then :)

[pietroalbini]

Ping from triage @mozfreddyb! Did you came up with a plan for this?

[pietroalbini]

Thank you for this PR @mozfreddyb! Unfortunately we haven't heard from you on this in a while, so I'm closing the PR to keep things tidy. Don't worry though, if you'll have time again in the future please reopen this PR, we'll be happy to review it again!