From e2c3f7581bf5ad841a15bd35c80fa57f2c82940a Mon Sep 17 00:00:00 2001
From: daudix <ddaudix@gmail.com>
Date: Sat, 5 Oct 2024 22:45:06 +0300
Subject: [PATCH] Add support for Content Security Policy (fixes #90)

---
 CHANGELOG.md                              |  1 +
 config.toml                               | 12 +++++
 templates/macros/translate.html           |  2 +
 templates/partials/csp.html               | 53 +++++++++++++++++++++++
 templates/partials/head.html              |  3 ++
 templates/partials/language_switcher.html |  2 +-
 6 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 templates/partials/csp.html

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a6ab7f4..d4274b6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add ability to enable inline table of contents in articles (#94 and #95).
 - Add ability to make table of contents use numbered lists (#95).
 - Add ability to open search by pressing the slash key.
+- Add support for Content Security Policy (#90).
 
 ### Changed
 
diff --git a/config.toml b/config.toml
index d05878b..d756a2e 100644
--- a/config.toml
+++ b/config.toml
@@ -151,6 +151,18 @@ show_share_button = true
 # Can be set per page/section.
 # toc_ordered = true
 #
+# Whether to use Content Security Policy.
+# Keep in mind that although this can potentially increase security,
+# it can break some stuff, in which case you will need to set custom policy.
+csp = [
+	{ directive = "font-src", domains = ["'self'", "data:"] },
+	{ directive = "img-src", domains = ["'self'", "https:", "data:"] },
+	{ directive = "media-src", domains = ["'self'", "https:", "data:"] },
+	{ directive = "script-src", domains = ["'self'", "'unsafe-inline'"] },
+	{ directive = "style-src", domains = ["'self'", "'unsafe-inline'"] },
+	{ directive = "frame-src", domains = ["https://player.vimeo.com", "https://www.youtube-nocookie.com"] },
+	{ directive = "connect-src", domains = ["https:"] },
+]
 # Display outlines around all elements for debugging purposes
 # debug_layout = true
 
diff --git a/templates/macros/translate.html b/templates/macros/translate.html
index 474e318..db9d873 100644
--- a/templates/macros/translate.html
+++ b/templates/macros/translate.html
@@ -1,3 +1,5 @@
+{#- Taken from https://github.com/welpo/tabi/blob/7b00ed1d9dca5c529d2816c5b6679bfe600d63fc/templates/macros/translate.html -#}
+
 {#- Dynamically selects the appropriate translation key based on the provided `number` and `lang` context.
 If a `number` is provided, the macro will attempt to pluralize the translation key based on the language's rules.
 
diff --git a/templates/partials/csp.html b/templates/partials/csp.html
new file mode 100644
index 0000000..782f6a8
--- /dev/null
+++ b/templates/partials/csp.html
@@ -0,0 +1,53 @@
+{#- Based on https://github.com/welpo/tabi/blob/7b00ed1d9dca5c529d2816c5b6679bfe600d63fc/templates/partials/content_security_policy.html -#}
+
+<meta http-equiv="Content-Security-Policy"
+content="default-src 'self'
+{%- if config.extra.csp -%}
+
+    {#- Initialise a base script-src directive -#}
+    {%- set script_src = "script-src 'self'" -%}
+
+    {#- Initialise a base connect-src directive -#}
+    {%- set connect_src = "connect-src 'self'" -%}
+
+    {# Base logic for appending analytics domains #}
+    {%- if config.extra.goatcounter %}
+        {%- set goatcounter_host = config.extra.goatcounter.host | default(value='goatcounter.com') -%}
+        {%- set goatcounter_url = "https://" ~ config.extra.goatcounter.user ~ "." ~ goatcounter_host ~ "/count" %}
+        {%- set script_src = script_src ~ " " ~ goatcounter_url -%}
+        {%- set connect_src = connect_src ~ " " ~ goatcounter_url -%}
+    {%- endif %}
+
+    {#- Append WebSocket for Zola serve mode -#}
+    {%- if config.mode == "serve" -%}
+        {%- set connect_src = connect_src ~ " ws:" -%}
+    {%- endif -%}
+
+    {%- for domain in config.extra.csp -%}
+        {%- if domain.directive == "connect-src" -%}
+            {%- set configured_connect_src = domain.domains | join(sep=' ') -%}
+            {%- set_global connect_src = connect_src ~ " " ~ configured_connect_src  -%}
+            {%- continue -%}
+        {%- endif -%}
+
+        {%- if domain.directive == "script-src" -%}
+            {%- set configured_script_src = domain.domains | join(sep=' ') -%}
+            {%- set_global script_src = script_src ~ " " ~ configured_script_src  -%}
+            {%- continue -%}
+        {%- endif -%}
+
+        {#- Handle directives that are not connect-src -#}
+        {{ domain.directive }} {{ domain.domains | join(sep=' ') -}}
+
+        {%- if not loop.last -%}
+        ;
+        {%- endif -%}
+    {%- endfor -%}
+
+    {#- Insert the generated connect-src -#}
+    {{ ";" ~ connect_src }}
+
+    {#- Insert the generated script-src -#}
+    {{ ";" ~ script_src }}
+
+{%- endif -%}">
diff --git a/templates/partials/head.html b/templates/partials/head.html
index c9cbff6..acdaebd 100644
--- a/templates/partials/head.html
+++ b/templates/partials/head.html
@@ -7,6 +7,9 @@
 	{%- if config.extra.accent_color_dark %}
 		<meta name="theme-color" content="{{ config.extra.accent_color_dark | safe }}" media="(prefers-color-scheme:dark)" />
 	{%- endif %}
+	{%- if config.extra.csp %}
+		{%- include "partials/csp.html" %}
+	{%- endif %}
 	<title>{% include "partials/title.html" %}</title>
 	<link rel="canonical" href="{{ current_url | default(value='/') | safe }}" />
 
diff --git a/templates/partials/language_switcher.html b/templates/partials/language_switcher.html
index fde3c4a..6c37e78 100644
--- a/templates/partials/language_switcher.html
+++ b/templates/partials/language_switcher.html
@@ -1,4 +1,4 @@
-{#- Based on https://github.com/welpo/tabi/blob/main/templates/partials/language_switcher.html -#}
+{#- Based on https://github.com/welpo/tabi/blob/7b00ed1d9dca5c529d2816c5b6679bfe600d63fc/templates/partials/language_switcher.html -#}
 
 <li id="language-switcher">
     <details class="closable">