Merge pull request #4 from charlesrocket/csp

charlesrocket · Jan 23, 2024 · 85797b2 · 85797b2
2 parents f426d47 + 22df24e
commit 85797b2
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/content/posts/image/index.md b/content/posts/image/index.md
@@ -3,9 +3,10 @@ title = "Image"
 date = 2023-06-03
 [taxonomies]
 categories = ["media"]
-tags = ["content", "shortcode"]
+tags = ["content", "csp", "shortcode"]
 [extra]
 subtitle = "Shortcodes for images"
+csp_img = ["raw.githubusercontent.com/charlesrocket/beastie/"]
 +++
 
 All variables (except `img`) are optional.
@@ -51,3 +52,34 @@ output:
 ```
 
 {{ image(img="fireball.gif") }}
+
+## CSP
+
+Add `csp = enable` to the config's `extra` section to enable Content Security Policy globally. Use front matter's `csp_img` to add URLs:
+
+```
++++
+title = "Image"
+date = 2023-06-03
+[taxonomies]
+categories = ["media"]
+tags = ["content", "csp", "shortcode"]
+[extra]
+subtitle = "Shortcodes for images"
+csp_img = ["raw.githubusercontent.com/charlesrocket/beastie/"]
++++
+```
+
+input:
+
+```rs
+{{/* image(img="https://raw.githubusercontent.com/charlesrocket/beastie/master/doc/screenshot.gif", caption="CSP test image") */}}
+```
+
+output:
+
+```html
+{{ image(img="https://raw.githubusercontent.com/charlesrocket/beastie/master/doc/screenshot.gif", caption="CSP test image"") }}
+```
+
+{{ image(img="https://raw.githubusercontent.com/charlesrocket/beastie/master/doc/screenshot.gif", caption="CSP test image") }}
diff --git a/templates/partials/head.html b/templates/partials/head.html
@@ -18,7 +18,7 @@
   <meta name="base" content="{{ config.base_url | safe }}"/>
   <meta name="referrer" content="strict-origin-when-cross-origin"/>
   {% if config.extra.csp %}
-  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; font-src 'self'; img-src 'self' {% if page.extra.image %}{% if page.extra.image is starting_with("https://") %}{{ page.extra.image }}{% endif %}{% endif %} {% if config.extra.home_image is starting_with("https://") %}{{ config.extra.home_image }}{% endif %} {% if config.extra.post_list_image is starting_with("https://") %}{{ config.extra.post_list_image }}{% endif %} {% if config.extra.default_post_image is starting_with("https://") %}{{ config.extra.default_post_image }}{% endif %} raw.githubusercontent.com/charlesrocket/ www.hackthebox.com/badge/image/56695 asciinema.org/a/; script-src 'self' giscus.app/client.js; manifest-src 'self'; style-src 'self' {% if page_image_hash %}'sha512-{{ page_image_hash | safe }}'{% else %}'sha512-{{ default_post_image_hash | safe }}'{% endif %} 'sha512-{{ main_images_hash | safe }}' giscus.app/default.css; media-src 'self'; frame-src 'self' giscus.app; object-src 'none'; base-uri 'self'; form-action 'self'">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; font-src 'self'; img-src 'self' {% if page.extra.image %}{% if page.extra.image is starting_with("https://") %}{{ page.extra.image }}{% endif %}{% endif %} {% if config.extra.home_image is starting_with("https://") %}{{ config.extra.home_image }}{% endif %} {% if config.extra.post_list_image is starting_with("https://") %}{{ config.extra.post_list_image }}{% endif %} {% if config.extra.default_post_image is starting_with("https://") %}{{ config.extra.default_post_image }}{% endif %}{% if page.extra.csp_img %}{%for url in page.extra.csp_img %} {{ url }}{% endfor %}{% endif %}{% if section.extra.csp_img %}{%for url in section.extra.csp_img %} {{ url }}{% endfor %}{% endif %}; script-src 'self' giscus.app/client.js; manifest-src 'self'; style-src 'self' {% if page_image_hash %}'sha512-{{ page_image_hash | safe }}'{% else %}'sha512-{{ default_post_image_hash | safe }}'{% endif %} 'sha512-{{ main_images_hash | safe }}' giscus.app/default.css; media-src 'self'; frame-src 'self' giscus.app; object-src 'none'; base-uri 'self'; form-action 'self'">
   {% endif %}
   <meta name="robots" content="index,follow">
   <meta name="theme-color" content="#2C2D32"/>