From 5d1753b7c6d60c5eb981a702c8dd73837dbcccee Mon Sep 17 00:00:00 2001 From: tdro Date: Thu, 6 Oct 2022 14:18:58 -0400 Subject: themes/default/layouts/partials/base-head: Crudely serialize policy To add new rules without changing source code. Allow setting robots meta tag. --- config.json | 40 ++++++++++------- config.toml | 32 ++++++++------ config.yaml | 32 ++++++++------ themes/default/layouts/partials/base-csp.html | 60 ++++++++++---------------- themes/default/layouts/partials/base-head.html | 2 +- 5 files changed, 84 insertions(+), 82 deletions(-) diff --git a/config.json b/config.json index e7948bf..43ec38f 100644 --- a/config.json +++ b/config.json @@ -94,7 +94,9 @@ "params": { "site": { "production": false, - "refresh": null + "referrer": "no-referrer", + "refresh": null, + "robots": "index,follow" }, "webmanifest": { "name": "Micro Blog", @@ -105,19 +107,24 @@ "logo": "data/media/logo.png" }, "csp": { - "upgrade": false, - "referrer": "no-referrer", - "childsrc": [ + "block-all-mixed-content": "", + "child-src": [ + "'self'" + ], + "connect-src": [ "'self'" ], - "fontsrc": [ + "default-src": [ "'self'" ], - "formaction": [ + "font-src": [ + "'self'" + ], + "form-action": [ "'self'", "lite.duckduckgo.com" ], - "framesrc": [ + "frame-src": [ "'self'", "imgur.com", "www.youtube-nocookie.com", @@ -126,38 +133,41 @@ "odysee.com", "docs.google.com" ], - "imgsrc": [ + "img-src": [ "'self'", "http://preview.test", "imgs.xkcd.com" ], - "mediasrc": [ + "manifest-src": [ + "'self'" + ], + "media-src": [ "'self'", "raw.githubusercontent.com", "i.imgur.com" ], - "objectsrc": [ + "object-src": [ "'none'" ], - "prefetchsrc": [ + "prefetch-src": [ "'self'" ], - "scriptsrc": [ + "script-src-elem": [ "'self'", "s.imgur.com", "platform.twitter.com" ], - "scriptsrcelem": [ + "script-src": [ "'self'", "s.imgur.com", "platform.twitter.com" ], - "stylesrc": [ + "style-src": [ "'self'", "'unsafe-inline'", "http://preview.test" ], - "connectsrc": [ + "worker-src": [ "'self'" ] }, diff --git a/config.toml b/config.toml index 99fde46..6b6fdcd 100644 --- a/config.toml +++ b/config.toml @@ -88,6 +88,8 @@ enableRobotsTXT = true [params.site] production = false + referrer = "no-referrer" + robots = "index,follow" [params.webmanifest] name = "Micro Blog" @@ -98,20 +100,22 @@ enableRobotsTXT = true logo = "data/media/logo.png" [params.csp] - upgrade = false - referrer = "no-referrer" - childsrc = ["'self'"] - fontsrc = ["'self'"] - formaction = ["'self'", "lite.duckduckgo.com"] - framesrc = ["'self'", "imgur.com", "www.youtube-nocookie.com", "platform.twitter.com", "en.m.wikipedia.org", "odysee.com", "docs.google.com"] - imgsrc = ["'self'", "http://preview.test", "imgs.xkcd.com"] - mediasrc = ["'self'", "raw.githubusercontent.com", "i.imgur.com"] - objectsrc = ["'none'"] - prefetchsrc = ["'self'"] - scriptsrc = ["'self'", "s.imgur.com", "platform.twitter.com"] - scriptsrcelem = ["'self'", "s.imgur.com", "platform.twitter.com"] - stylesrc = ["'self'", "'unsafe-inline'", "http://preview.test"] - connectsrc = ["'self'"] + block-all-mixed-content = "" + child-src = ["'self'"] + connect-src = ["'self'"] + default-src = ["'self'"] + font-src = ["'self'"] + form-action = ["'self'", "lite.duckduckgo.com"] + frame-src = ["'self'", "imgur.com", "www.youtube-nocookie.com", "platform.twitter.com", "en.m.wikipedia.org", "odysee.com", "docs.google.com"] + img-src = ["'self'", "http://preview.test", "imgs.xkcd.com"] + manifest-src = ["'self'"] + media-src = ["'self'", "raw.githubusercontent.com", "i.imgur.com"] + object-src = ["'none'"] + prefetch-src = ["'self'"] + script-src-elem = ["'self'", "s.imgur.com", "platform.twitter.com"] + script-src = ["'self'", "s.imgur.com", "platform.twitter.com"] + style-src = ["'self'", "'unsafe-inline'", "http://preview.test"] + worker-src = ["'self'"] [params.search] diff --git a/config.yaml b/config.yaml index b14283e..d135044 100644 --- a/config.yaml +++ b/config.yaml @@ -77,7 +77,9 @@ markup: params: site: production: false + referrer: no-referrer refresh: + robots: index,follow webmanifest: name: Micro Blog shortName: Micro @@ -86,21 +88,23 @@ params: display: standalone logo: data/media/logo.png csp: - upgrade: false - referrer: no-referrer - childsrc: ["'self'"] - fontsrc: ["'self'"] - formaction: ["'self'", lite.duckduckgo.com] - framesrc: ["'self'", imgur.com, www.youtube-nocookie.com, platform.twitter.com, + block-all-mixed-content: '' + child-src: ["'self'"] + connect-src: ["'self'"] + default-src: ["'self'"] + font-src: ["'self'"] + form-action: ["'self'", lite.duckduckgo.com] + frame-src: ["'self'", imgur.com, www.youtube-nocookie.com, platform.twitter.com, en.m.wikipedia.org, odysee.com, docs.google.com] - imgsrc: ["'self'", http://preview.test, imgs.xkcd.com] - mediasrc: ["'self'", raw.githubusercontent.com, i.imgur.com] - objectsrc: ["'none'"] - prefetchsrc: ["'self'"] - scriptsrc: ["'self'", s.imgur.com, platform.twitter.com] - scriptsrcelem: ["'self'", s.imgur.com, platform.twitter.com] - stylesrc: ["'self'", "'unsafe-inline'", http://preview.test] - connectsrc: ["'self'"] + img-src: ["'self'", http://preview.test, imgs.xkcd.com] + manifest-src: ["'self'"] + media-src: ["'self'", raw.githubusercontent.com, i.imgur.com] + object-src: ["'none'"] + prefetch-src: ["'self'"] + script-src-elem: ["'self'", s.imgur.com, platform.twitter.com] + script-src: ["'self'", s.imgur.com, platform.twitter.com] + style-src: ["'self'", "'unsafe-inline'", http://preview.test] + worker-src: ["'self'"] search: verification: google: diff --git a/themes/default/layouts/partials/base-csp.html b/themes/default/layouts/partials/base-csp.html index 9519e14..55719d8 100644 --- a/themes/default/layouts/partials/base-csp.html +++ b/themes/default/layouts/partials/base-csp.html @@ -1,42 +1,26 @@ -{{ $upgrade := "" }} -{{ if .Site.Params.csp.upgrade }} - {{ $upgrade = "upgrade-insecure-requests;" }} -{{- end -}} + + +{{- if .Site.Params.csp }} - +{{ + $policy := .Site.Params.csp + | jsonify + | replaceRE "\":\"\",\"" ";\n" + | replaceRE "{\"" "" + | replaceRE "\"],\"" ";\n" + | replaceRE "\",\"" " " + | replaceRE "\":\\[\"" " " + | replaceRE "\"]}" ";" + | replaceRE "\":\"\"}" ";" + | plainify +-}} {{ printf ` -` - ($upgrade) - (delimit .Site.Params.csp.childsrc " ") - (delimit .Site.Params.csp.connectsrc " ") - (delimit .Site.Params.csp.fontsrc " ") - (delimit .Site.Params.csp.formaction " ") - (delimit .Site.Params.csp.framesrc " ") - (delimit .Site.Params.csp.imgsrc " ") - (delimit .Site.Params.csp.mediasrc " ") - (delimit .Site.Params.csp.objectsrc " ") - (delimit .Site.Params.csp.prefetchsrc " ") - (delimit .Site.Params.csp.scriptsrc " ") - (delimit .Site.Params.csp.scriptsrcelem " ") - (delimit .Site.Params.csp.stylesrc " ") - | safeHTML }} +` +$policy | safeHTML +}} + +{{- end -}} diff --git a/themes/default/layouts/partials/base-head.html b/themes/default/layouts/partials/base-head.html index 7672f22..3ef919e 100644 --- a/themes/default/layouts/partials/base-head.html +++ b/themes/default/layouts/partials/base-head.html @@ -15,7 +15,7 @@ {{ if or .Params.Unlisted .Params.ExpiryDate -}} {{- else -}} - + {{- end }} -- cgit v1.2.3