Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inline scripts break Content Security Policy #145

Closed
palant opened this issue May 15, 2020 · 2 comments · Fixed by #173
Closed

Inline scripts break Content Security Policy #145

palant opened this issue May 15, 2020 · 2 comments · Fixed by #173
Labels
enhancement New feature or request
Milestone
v4.5.0

Comments

@palant
Copy link
Collaborator

palant commented May 15, 2020
edited
Loading

For security reasons, it's a good idea to have a Content Security Policy saying something like script-src: 'self' - only scripts from this website allowed, and no inline scripts. This offers a good protection layer against Cross-Site Scripting attacks.

Now this doesn't quite work with MemE, two scripts are potentially defined inline: theme switcher and HTTPS switcher. It seems that the possible solutions are:

  • Disable both features - possible but I actually liked the theme switcher.
  • Allow these scripts in CSP based on their SHA-256 hash - possible but complicated, might also break when the theme is updated (slight changes to the script).
  • Move the scripts for these features into a separate script file - adds one more request for a tiny file.
  • Merge these scripts into the existing script file and include it at the top of the page - will delay page load minimally but is my preferred solution so far.

What do you think?
@reuixiy
Copy link
Owner

reuixiy commented May 15, 2020

This is basically beyond my knowledge 😅. But I prefer the 4th solution too.

@reuixiy reuixiy added the enhancement New feature or request label May 15, 2020
@reuixiy reuixiy added this to the v4.4.0 milestone May 15, 2020
@palant
Copy link
Collaborator Author

palant commented May 15, 2020

I've set CSP to script-src 'self' 'sha256-Gm1oTy0TqoHcwUBUhFG0IWdfrLSxxxdn1G0rEFl6x2g=' for now - this allows the theme switcher script to work, but it feels like a temporary solution.

palant added a commit that referenced this issue May 22, 2020
@palant
fix: Move loading JavaScript to the top of the page, don't use inline…
904d72a 
… scripts for the theme switcher (fixes #145)
@palant palant mentioned this issue May 22, 2020
Merged
@reuixiy reuixiy modified the milestones: v4.4.0, v4.5.0 May 23, 2020
palant added a commit that referenced this issue May 26, 2020
@palant
refactor: Do not use inline scripts (#173)
f160158 
* fix: Move loading JavaScript to the top of the page, don't use inline scripts for the theme switcher (fixes #145)

* fix: Do not use an inline script for HTTPS redirect

* chore: Actually remove the inline script from page head

* chore: Use scratch again (a private one) and fix lunr search

* fix: Move third-party scripts back to the bottom of the page

BREAKING CHANGE: custom.js is loaded at the top of the page now, before the page elements are available
ulmefors pushed a commit to ulmefors/hugo-theme-meme that referenced this issue Nov 22, 2020
@palant @ulmefors
refactor: Do not use inline scripts (reuixiy#173)
c0f6cf3 
* fix: Move loading JavaScript to the top of the page, don't use inline scripts for the theme switcher (fixes reuixiy#145)

* fix: Do not use an inline script for HTTPS redirect

* chore: Actually remove the inline script from page head

* chore: Use scratch again (a private one) and fix lunr search

* fix: Move third-party scripts back to the bottom of the page

BREAKING CHANGE: custom.js is loaded at the top of the page now, before the page elements are available
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v4.5.0
Development

Successfully merging a pull request may close this issue.

Do not use inline scripts reuixiy/hugo-theme-meme
2 participants
@palant @reuixiy