Inicio Explorar Axuda
Rexistro Iniciar sesión
a.druzhinin
/
hugo-coder
réplica de https://github.com/luizdepra/hugo-coder.git
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Adds Content-Security-Policy template to theme (#504)

* feat: added csp.html template to theme head element

* feat: added my name to CONTRIBUTORS

* fix: added conditional logic for templating to stabilize build

* feat: Added CSP section to example config.toml

* fix: updated template logic

* updated contributors to reference website and not github

* fix conflict with contributors, moved csp out of _shared dir

Co-authored-by: Luiz F. A. de Prá <luizdepra@users.noreply.github.com>
Alex Miranda %!s(int64=5) %!d(string=hai) anos
pai
74d160b325
achega
edea1118eb
Modificáronse 4 ficheiros con 24 adicións e 0 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 1 0
      CONTRIBUTORS.md
  2. 19 0
      exampleSite/config.toml
  3. 3 0
      layouts/_default/baseof.html
  4. 1 0
      layouts/partials/csp.html

+ 1 - 0
CONTRIBUTORS.md
Ver ficheiro 

@@ -90,3 +90,4 @@
 
 - [JaeSang Yoo](https://github.com/JSYoo5B)
 
 - [Felix](https://github.com/lazyyz)
 
 - [Peter Duchnovsky](https://pduchnovsky.com)
 
+- [Alex Miranda](https://ammiranda.com)

+ 19 - 0
exampleSite/config.toml
Ver ficheiro 

@@ -80,6 +80,25 @@ disqusShortname = "yourdiscussshortname"
 
 [params.cloudflare]
 
     token = "token"
 
 
+# If you want to implement a Content-Security-Policy, add this section
 
+[params.csp]
 
+	childsrc = ["'self'"]
 
+	fontsrc=["'self'",
 
+		"https://fonts.gstatic.com",
 
+		"https://cdn.jsdelivr.net/"]
 
+	formaction = ["'self'"]
 
+	framesrc = ["'self'"]
 
+	imgsrc = ["'self'"]
 
+	objectsrc = ["'none'"]
 
+	stylesrc = ["'self'",
 
+		"'unsafe-inline'",
 
+		"https://fonts.googleapis.com/",
 
+		"https://cdn.jsdelivr.net/"]
 
+	scriptsrc = ["'self'",
 
+		"'unsafe-inline'",
 
+		"https://www.google-analytics.com"]
 
+	prefetchsrc = ["'self'"]
 
+
 
 [taxonomies]
 
   category = "categories"
 
   series = "series"

+ 3 - 0
layouts/_default/baseof.html
Ver ficheiro 

@@ -5,6 +5,9 @@
 
     <meta charset="utf-8">
 
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 
     <meta http-equiv="Content-Language" content="{{ .Site.Language.Lang }}">
 
+    {{ if .Site.Params.csp }}
 
+      {{ partial "csp.html" . }}
 
+    {{ end }}
 
 
     {{ with .Site.Params.author }}<meta name="author" content="{{ . }}">{{ end }}
 
     <meta name="description" content="{{ .Description | default (.Summary | default .Site.Params.description ) }}">

+ 1 - 0
layouts/partials/csp.html
Ver ficheiro 

@@ -0,0 +1 @@
 
+{{ printf `<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; block-all-mixed-content; default-src 'self'; child-src %s; font-src %s; form-action %s; frame-src %s; img-src %s; object-src %s; style-src %s; script-src %s; prefetch-src %s;">` (delimit .Site.Params.csp.childsrc " ") (delimit .Site.Params.csp.fontsrc " ") (delimit .Site.Params.csp.formaction " ") (delimit .Site.Params.csp.framesrc " ") (delimit .Site.Params.csp.imgsrc " ") (delimit .Site.Params.csp.objectsrc " ") (delimit .Site.Params.csp.stylesrc " ") (delimit .Site.Params.csp.scriptsrc " ") (delimit .Site.Params.csp.prefetchsrc " ") | safeHTML }}