fix: add giscus CSP checks

charlesrocket · Jan 23, 2024 · c202c1e · c202c1e
1 parent a25631f
commit c202c1e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/templates/partials/head.html b/templates/partials/head.html
@@ -18,7 +18,7 @@
   <meta name="base" content="{{ config.base_url | safe }}"/>
   <meta name="referrer" content="strict-origin-when-cross-origin"/>
   {% if config.extra.csp %}
-  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; font-src 'self'; img-src 'self' {% if page.extra.image %}{% if page.extra.image is starting_with("https://") %}{{ page.extra.image }}{% endif %}{% endif %} {% if config.extra.home_image is starting_with("https://") %}{{ config.extra.home_image }}{% endif %} {% if config.extra.post_list_image is starting_with("https://") %}{{ config.extra.post_list_image }}{% endif %} {% if config.extra.default_post_image is starting_with("https://") %}{{ config.extra.default_post_image }}{% endif %}{% if page.extra.csp_img %}{%for url in page.extra.csp_img %} {{ url }}{% endfor %}{% endif %}{% if section.extra.csp_img %}{%for url in section.extra.csp_img %} {{ url }}{% endfor %}{% endif %}; script-src 'self' giscus.app/client.js; manifest-src 'self'; style-src 'self' {% if page_image_hash %}'sha512-{{ page_image_hash | safe }}'{% else %}'sha512-{{ default_post_image_hash | safe }}'{% endif %} 'sha512-{{ main_images_hash | safe }}' giscus.app/default.css; media-src 'self'; frame-src 'self' giscus.app; object-src 'none'; base-uri 'self'; form-action 'self'">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; font-src 'self'; img-src 'self' {% if page.extra.image %}{% if page.extra.image is starting_with("https://") %}{{ page.extra.image }}{% endif %}{% endif %} {% if config.extra.home_image is starting_with("https://") %}{{ config.extra.home_image }}{% endif %} {% if config.extra.post_list_image is starting_with("https://") %}{{ config.extra.post_list_image }}{% endif %} {% if config.extra.default_post_image is starting_with("https://") %}{{ config.extra.default_post_image }}{% endif %}{% if page.extra.csp_img %}{%for url in page.extra.csp_img %} {{ url }}{% endfor %}{% endif %}{% if section.extra.csp_img %}{%for url in section.extra.csp_img %} {{ url }}{% endfor %}{% endif %}; script-src 'self' {% if config.extra.giscus %}giscus.app/client.js{% endif %}; manifest-src 'self'; style-src 'self' {% if page_image_hash %}'sha512-{{ page_image_hash | safe }}'{% else %}'sha512-{{ default_post_image_hash | safe }}'{% endif %} 'sha512-{{ main_images_hash | safe }}' {% if config.extra.giscus %}giscus.app/default.css{% endif %}; media-src 'self'; frame-src 'self' {% if config.extra.giscus %}giscus.app{% endif %}; object-src 'none'; base-uri 'self'; form-action 'self'">
   {% endif %}
   <meta name="robots" content="index,follow">
   <meta name="theme-color" content="#2C2D32"/>