diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-09-13 14:55:15 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-09-13 14:55:15 -0600 |
| commit | a2ea06d513a5802964f8f0ef5795cec7e548ed7b (patch) | |
| tree | 8afb58e3749d19bc46cffc6473f3059d647c515b /templates/partials/content_security_policy.html | |
Squashed 'themes/tabi-lean/' content from commit 95c8796
git-subtree-dir: themes/tabi-lean
git-subtree-split: 95c879696445ede40daa7a30a88dae5dd74d5c0c
Diffstat (limited to 'templates/partials/content_security_policy.html')
| -rw-r--r-- | templates/partials/content_security_policy.html | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/templates/partials/content_security_policy.html b/templates/partials/content_security_policy.html new file mode 100644 index 0000000..e8fa062 --- /dev/null +++ b/templates/partials/content_security_policy.html @@ -0,0 +1,119 @@ +<meta http-equiv="Content-Security-Policy" +content="default-src 'self' +{%- if config.extra.allowed_domains -%} +; + {#- Check if a comment system is enabled to allow the necessary domains and directives -#} + {%- set utterances_enabled = config.extra.utterances.enabled_for_all_posts or page.extra.utterances -%} + {%- set giscus_enabled = config.extra.giscus.enabled_for_all_posts or page.extra.giscus -%} + {%- set hyvortalk_enabled = config.extra.hyvortalk.enabled_for_all_posts or page.extra.hyvortalk -%} + {%- set isso_enabled = config.extra.isso.enabled_for_all_posts or page.extra.isso -%} + {%- if page -%} + {%- set iine_enabled = macros_settings::evaluate_setting_priority(setting="iine", page=page, default_global_value=false) == "true" -%} + {%- endif -%} + {%- if page -%} + {%- set mermaid_enabled = macros_settings::evaluate_setting_priority(setting="mermaid", page=page, default_global_value=false) == "true" -%} + {%- endif -%} + {%- set serve_local_mermaid = config.extra.serve_local_mermaid | default(value=true) -%} + + {#- Initialise a base script-src directive -#} + {%- set script_src = "script-src 'self'" -%} + + {#- Initialise a base connect-src directive -#} + {%- set connect_src = "connect-src 'self'" -%} + + {# Base logic for appending analytics domains #} + {%- set analytics_url = config.extra.analytics.self_hosted_url | default(value="") %} + {%- if analytics_url -%} + {%- set script_src = script_src ~ " " ~ analytics_url -%} + {%- set connect_src = connect_src ~ " " ~ analytics_url -%} + {%- else -%} + {%- if config.extra.analytics.service -%} + {%- if config.extra.analytics.service == "goatcounter" -%} + {%- set script_src = script_src ~ " gc.zgo.at" -%} + {%- set connect_src = connect_src ~ " " ~ config.extra.analytics.id ~ ".goatcounter.com/count" -%} + {%- elif config.extra.analytics.service == "umami" -%} + {%- set script_src = script_src ~ " cloud.umami.is" -%} + {%- set connect_src = connect_src ~ " *.umami.dev" ~ " cloud.umami.is" -%} + {%- elif config.extra.analytics.service == "plausible" -%} + {%- set script_src = script_src ~ " plausible.io" -%} + {%- set connect_src = connect_src ~ " plausible.io" -%} + {%- endif -%} + {%- endif -%} + {%- endif -%} + + {%- if hyvortalk_enabled -%} + {%- set connect_src = connect_src ~ " talk.hyvor.com" -%} + {%- set script_src = script_src ~ " talk.hyvor.com" -%} + {%- elif isso_enabled -%} + {%- set connect_src = connect_src ~ " " ~ config.extra.isso.endpoint_url -%} + {%- set script_src = script_src ~ " " ~ config.extra.isso.endpoint_url -%} + {%- elif giscus_enabled -%} + {%- set script_src = script_src ~ " " ~ " giscus.app" -%} + {%- elif utterances_enabled -%} + {%- set script_src = script_src ~ " " ~ " utteranc.es" -%} + {%- endif -%} + + {%- if (mermaid_enabled and not serve_local_mermaid) or iine_enabled -%} + {%- set script_src = script_src ~ " " ~ " cdn.jsdelivr.net" -%} + {%- endif -%} + + {#- Check if a webmention system is enabled to allow the necessary domains and directives -#} + {%- if config.extra.webmentions.enable -%} + {%- set connect_src = connect_src ~ " webmention.io" -%} + {%- endif -%} + + {#- Check if iine like buttons are enabled to allow the necessary domains -#} + {%- if iine_enabled -%} + {%- set connect_src = connect_src ~ " vhiweeypifbwacashxjz.supabase.co" -%} + {%- endif -%} + + {#- Append WebSocket for Zola serve mode -#} + {%- if config.mode == "serve" -%} + {%- set connect_src = connect_src ~ " ws:" -%} + {%- endif -%} + + {%- for domain in config.extra.allowed_domains -%} + {%- if domain.directive == "connect-src" -%} + {%- set configured_connect_src = domain.domains | join(sep=' ') | safe -%} + {%- set_global connect_src = connect_src ~ " " ~ configured_connect_src -%} + {%- continue -%} + {%- endif -%} + + {%- if domain.directive == "script-src" -%} + {%- set configured_script_src = domain.domains | join(sep=' ') | safe -%} + {%- set_global script_src = script_src ~ " " ~ configured_script_src -%} + {%- continue -%} + {%- endif -%} + + {#- Handle directives that are not connect-src -#} + {{ domain.directive }} {{ domain.domains | join(sep=' ') | safe -}} + + {%- if domain.directive == "style-src" -%} + {%- if utterances_enabled or hyvortalk_enabled or mermaid_enabled %} 'unsafe-inline' + {%- endif -%} + {%- endif -%} + + {%- if domain.directive == "font-src" -%} + {%- if mermaid_enabled %} 'self' + {%- endif -%} + {%- endif -%} + + {%- if domain.directive == "frame-src" -%} + {%- if giscus_enabled %} giscus.app + {%- elif utterances_enabled %} utteranc.es + {%- elif hyvortalk_enabled %} talk.hyvor.com + {%- endif %} + {%- endif -%} + + {%- if not loop.last -%} + ; + {%- endif -%} + {%- endfor -%} + + {#- Insert the generated connect-src -#} + {{ ";" ~ connect_src }} + + {#- Insert the generated script-src -#} + {{ ";" ~ script_src }} + +{%- endif -%}"> |