Custom functions for CSP

I wanted to write a function to scan page’s content for image urls to inject them into CSP ruleset, but then I found this Use a new rust function · Issue #650 · getzola/zola · GitHub

Is there another approach I could use instead of duplicating image urls in the front matter (Image • Halve-Z Zola theme, halve-z/templates/partials/head.html at 0335a903f2eed599fb2907013343b4c38747b89d · charlesrocket/halve-z · GitHub)?

I think it’s safe enough to allow https images, no?

I don’t have a direct answer to your question, sorry. However, I have tinkered with custom CSP a bit.

In short, users can set this on their [extra]:

allowed_domains = [
    { directive = "font-src", domains = ["'self'", "data:"] },
    { directive = "img-src", domains = ["'self'", "https://*", "data:"] },
    { directive = "script-src", domains = ["'self'"] },
    { directive = "style-src", domains = ["'self'"] },
    { directive = "frame-src", domains = ["", ""] },

And this template takes care of the rest. There’s a bunch of custom stuff for the comment systems.

Hope that helps!

Oh thanks, this looks awesome! Very neat

I would say it is not safe to allow access to ALL images available over HTTPS. But then theres also this Installation & Configuration - Hyvor Talk Docs.