I wanted to write a function to scan page’s content for image urls to inject them into CSP ruleset, but then I found this Use a new rust function · Issue #650 · getzola/zola · GitHub
Is there another approach I could use instead of duplicating image urls in the front matter (Image • Halve-Z Zola theme, halve-z/templates/partials/head.html at 0335a903f2eed599fb2907013343b4c38747b89d · charlesrocket/halve-z · GitHub)?
I think it’s safe enough to allow https images, no?
I don’t have a direct answer to your question, sorry. However, I have tinkered with custom CSP a bit.
In short, users can set this on their [extra]:
allowed_domains = [
{ directive = "font-src", domains = ["'self'", "data:"] },
{ directive = "img-src", domains = ["'self'", "https://*", "data:"] },
{ directive = "script-src", domains = ["'self'"] },
{ directive = "style-src", domains = ["'self'"] },
{ directive = "frame-src", domains = ["player.vimeo.com", "https://www.youtube-nocookie.com"] },
]
And this template takes care of the rest. There’s a bunch of custom stuff for the comment systems.
Hope that helps!
Oh thanks, this looks awesome! Very neat
I would say it is not safe to allow access to ALL images available over HTTPS. But then theres also this Installation & Configuration - Hyvor Talk Docs.