On 11/10/22 11:03, Gerald Pfeifer wrote:
On Thu, 10 Nov 2022, Martin Liška wrote:
https://gcc.gnu.org/install/ is back with a new face.
But it's not working properly due to some Content Security Policy:
Hmm, it worked in my testing before and I just tried again:
Firefox 106.0.1 (64-bit) and now also Chrome 106.0.5249.119
and w3m.
Which browser are you using? Any particular add-ons or special security
settings?
Refused to apply inline style because it violates the following Content
Security Policy directive: "default-src 'self' http: https:". Either the
'unsafe-inline' keyword, a hash
('sha256-wAI2VKPX8IUBbq55XacEljWEKQc4Xc1nmwVsAjAplNU='), or a nonce
('nonce-...') is required to enable inline execution. Note also that
'style-src' was not explicitly set, so 'default-src' is used as a fallback.
That looks like it's related to some Javascript fun? Does sphinx pull in
something? Ohhhh, it does. A lot.
I'm not using any Javascript blocker, though, so not sure why I am not
seeing any such warnings?
Searching for "+sphinx" and this message did not result in anything.
(It feels a bit curious how the position in the web server's file system
or a symlink could trigger something like that?)
Looking at the source code of index.html I am wondering about
<html class="no-js" lang="en">
versus all the .js inclusions later on.
And https://validator.w3.org/nu/?doc=https%3A%2F%2Fgcc.gnu.org%2Finstall%2F
and
https://validator.w3.org/nu/?doc=https%3A%2F%2Fgcc.gnu.org%2Fonlinedocs%2Finstall%2F
appear equally (un)happy.
Gerald
Well, I can also reproduce it on my mobile phone.
Anyway, the difference is:
$ curl https://gcc.gnu.org/install/index.html -v &> bad.txt
$ curl https://gcc.gnu.org/onlinedocs/install/index.html -v &> good.txt
$ diff -u good.txt bad.txt
--- good.txt 2022-11-10 11:33:45.293631904 +0100
+++ bad.txt 2022-11-10 11:33:37.813669264 +0100
@@ -32,31 +32,32 @@
* subjectAltName: host "gcc.gnu.org" matched cert's "gcc.gnu.org"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
Using HTTP2, server supports multiplexing
+* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade:
len=0
} [5 bytes data]
* h2h3 [:method: GET]
-* h2h3 [:path: /onlinedocs/install/index.html]
+* h2h3 [:path: /install/index.html]
* h2h3 [:scheme: https]
* h2h3 [:authority: gcc.gnu.org]
* h2h3 [user-agent: curl/7.86.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5555555bf890)
} [5 bytes data]
-> GET /onlinedocs/install/index.html HTTP/2
+> GET /install/index.html HTTP/2
> Host: gcc.gnu.org
> user-agent: curl/7.86.0
> accept: */*
>
{ [5 bytes data]
< HTTP/2 200
-< date: Thu, 10 Nov 2022 10:33:45 GMT
+< date: Thu, 10 Nov 2022 10:33:37 GMT
< server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
mod_qos/11.70 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
< last-modified: Wed, 09 Nov 2022 18:51:10 GMT
< etag: "8232-5ed0e23e07250"
< accept-ranges: bytes
< content-length: 33330
< vary: Accept-Encoding
+< content-security-policy: default-src 'self' http: https:
< strict-transport-security: max-age=16070400
< content-type: text/html; charset=utf-8
<
@@ -485,7 +486,7 @@
</aside>
100 33330 100 33330 0 0 61514 0 --:--:-- --:--:-- --:--:-- 61494
100 33330 100 33330 0 0 62652 0 --:--:-- --:--:-- --:--:-- 62768
* Connection #0 to host gcc.gnu.org left intact
v>
</div><script data-url_root="./" id="documentation_options"
src="_static/documentation_options.js"></script>
=======
See that the problematic for some reason uses "content-security-policy: default-src
'self' http: https:".
And it uses 'Using HTTP2, server supports multiplexing'
Martin
