hak8or/blog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for Content Security Policy (fixes #90)

Browse Source
This commit is contained in:
daudix
2024-10-05 22:45:06 +03:00
parent aa43730750
commit e2c3f7581b
6 changed files with 72 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Add ability to enable inline table of contents in articles (#94 and #95). - Add ability to enable inline table of contents in articles (#94 and #95).
- Add ability to make table of contents use numbered lists (#95). - Add ability to make table of contents use numbered lists (#95).
- Add ability to open search by pressing the slash key. - Add ability to open search by pressing the slash key.
- Add support for Content Security Policy (#90).
### Changed ### Changed

12
config.toml
View File

@ -151,6 +151,18 @@ show_share_button = true
# Can be set per page/section. # Can be set per page/section.
# toc_ordered = true # toc_ordered = true
# #
# Whether to use Content Security Policy.
# Keep in mind that although this can potentially increase security,
# it can break some stuff, in which case you will need to set custom policy.
csp = [
{ directive = "font-src", domains = ["'self'", "data:"] },
{ directive = "img-src", domains = ["'self'", "https:", "data:"] },
{ directive = "media-src", domains = ["'self'", "https:", "data:"] },
{ directive = "script-src", domains = ["'self'", "'unsafe-inline'"] },
{ directive = "style-src", domains = ["'self'", "'unsafe-inline'"] },
{ directive = "frame-src", domains = ["https://player.vimeo.com", "https://www.youtube-nocookie.com"] },
{ directive = "connect-src", domains = ["https:"] },
]
# Display outlines around all elements for debugging purposes # Display outlines around all elements for debugging purposes
# debug_layout = true # debug_layout = true

2
templates/macros/translate.html
View File

@ -1,3 +1,5 @@
{#- Taken from https://github.com/welpo/tabi/blob/7b00ed1d9dca5c529d2816c5b6679bfe600d63fc/templates/macros/translate.html -#}
{#- Dynamically selects the appropriate translation key based on the provided `number` and `lang` context. {#- Dynamically selects the appropriate translation key based on the provided `number` and `lang` context.
If a `number` is provided, the macro will attempt to pluralize the translation key based on the language's rules. If a `number` is provided, the macro will attempt to pluralize the translation key based on the language's rules.

53
templates/partials/csp.html Normal file
View File

@ -0,0 +1,53 @@
{#- Based on https://github.com/welpo/tabi/blob/7b00ed1d9dca5c529d2816c5b6679bfe600d63fc/templates/partials/content_security_policy.html -#}
<meta http-equiv="Content-Security-Policy"
content="default-src 'self'
{%- if config.extra.csp -%}
{#- Initialise a base script-src directive -#}
{%- set script_src = "script-src 'self'" -%}
{#- Initialise a base connect-src directive -#}
{%- set connect_src = "connect-src 'self'" -%}
{# Base logic for appending analytics domains #}
{%- if config.extra.goatcounter %}
{%- set goatcounter_host = config.extra.goatcounter.host | default(value='goatcounter.com') -%}
{%- set goatcounter_url = "https://" ~ config.extra.goatcounter.user ~ "." ~ goatcounter_host ~ "/count" %}
{%- set script_src = script_src ~ " " ~ goatcounter_url -%}
{%- set connect_src = connect_src ~ " " ~ goatcounter_url -%}
{%- endif %}
{#- Append WebSocket for Zola serve mode -#}
{%- if config.mode == "serve" -%}
{%- set connect_src = connect_src ~ " ws:" -%}
{%- endif -%}
{%- for domain in config.extra.csp -%}
{%- if domain.directive == "connect-src" -%}
{%- set configured_connect_src = domain.domains | join(sep=' ') -%}
{%- set_global connect_src = connect_src ~ " " ~ configured_connect_src -%}
{%- continue -%}
{%- endif -%}
{%- if domain.directive == "script-src" -%}
{%- set configured_script_src = domain.domains | join(sep=' ') -%}
{%- set_global script_src = script_src ~ " " ~ configured_script_src -%}
{%- continue -%}
{%- endif -%}
{#- Handle directives that are not connect-src -#}
{{ domain.directive }} {{ domain.domains | join(sep=' ') -}}
{%- if not loop.last -%}
;
{%- endif -%}
{%- endfor -%}
{#- Insert the generated connect-src -#}
{{ ";" ~ connect_src }}
{#- Insert the generated script-src -#}
{{ ";" ~ script_src }}
{%- endif -%}">

3
templates/partials/head.html
View File

@ -7,6 +7,9 @@
{%- if config.extra.accent_color_dark %} {%- if config.extra.accent_color_dark %}
<meta name="theme-color" content="{{ config.extra.accent_color_dark | safe }}" media="(prefers-color-scheme:dark)" /> <meta name="theme-color" content="{{ config.extra.accent_color_dark | safe }}" media="(prefers-color-scheme:dark)" />
{%- endif %} {%- endif %}
{%- if config.extra.csp %}
{%- include "partials/csp.html" %}
{%- endif %}
<title>{% include "partials/title.html" %}</title> <title>{% include "partials/title.html" %}</title>
<link rel="canonical" href="{{ current_url | default(value='/') | safe }}" /> <link rel="canonical" href="{{ current_url | default(value='/') | safe }}" />

2
templates/partials/language_switcher.html
View File

@ -1,4 +1,4 @@
{#- Based on https://github.com/welpo/tabi/blob/main/templates/partials/language_switcher.html -#} {#- Based on https://github.com/welpo/tabi/blob/7b00ed1d9dca5c529d2816c5b6679bfe600d63fc/templates/partials/language_switcher.html -#}
<li id="language-switcher"> <li id="language-switcher">
<details class="closable"> <details class="closable">