From edea1118eb7af3a3cb87b5c1524cdd583c468cf9 Mon Sep 17 00:00:00 2001
From: Alex Miranda <alexandermichaelmiranda@gmail.com>
Date: Fri, 22 Jan 2021 16:26:30 +0000
Subject: [PATCH] Adds Content-Security-Policy template to theme (#504)

---
 exampleSite/config.toml      |   19 +++++++++++++++++++
 layouts/_default/baseof.html |    3 +++
 CONTRIBUTORS.md              |    1 +
 layouts/partials/csp.html    |    1 +
 4 files changed, 24 insertions(+), 0 deletions(-)

diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
index 78c81f7..13543b4 100644
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -90,3 +90,4 @@
 - [JaeSang Yoo](https://github.com/JSYoo5B)
 - [Felix](https://github.com/lazyyz)
 - [Peter Duchnovsky](https://pduchnovsky.com)
+- [Alex Miranda](https://ammiranda.com)
diff --git a/exampleSite/config.toml b/exampleSite/config.toml
index 751acf8..a9b89f5 100644
--- a/exampleSite/config.toml
+++ b/exampleSite/config.toml
@@ -80,6 +80,25 @@
 [params.cloudflare]
     token = "token"
 
+# If you want to implement a Content-Security-Policy, add this section
+[params.csp]
+	childsrc = ["'self'"]
+	fontsrc=["'self'",
+		"https://fonts.gstatic.com",
+		"https://cdn.jsdelivr.net/"]
+	formaction = ["'self'"]
+	framesrc = ["'self'"]
+	imgsrc = ["'self'"]
+	objectsrc = ["'none'"]
+	stylesrc = ["'self'",
+		"'unsafe-inline'",
+		"https://fonts.googleapis.com/",
+		"https://cdn.jsdelivr.net/"]
+	scriptsrc = ["'self'",
+		"'unsafe-inline'",
+		"https://www.google-analytics.com"]
+	prefetchsrc = ["'self'"]
+
 [taxonomies]
   category = "categories"
   series = "series"
diff --git a/layouts/_default/baseof.html b/layouts/_default/baseof.html
index 56f5b3a..435808f 100644
--- a/layouts/_default/baseof.html
+++ b/layouts/_default/baseof.html
@@ -5,6 +5,9 @@
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta http-equiv="Content-Language" content="{{ .Site.Language.Lang }}">
+    {{ if .Site.Params.csp }}
+      {{ partial "csp.html" . }}
+    {{ end }}
 
     {{ with .Site.Params.author }}<meta name="author" content="{{ . }}">{{ end }}
     <meta name="description" content="{{ .Description | default (.Summary | default .Site.Params.description ) }}">
diff --git a/layouts/partials/csp.html b/layouts/partials/csp.html
new file mode 100644
index 0000000..57ded85
--- /dev/null
+++ b/layouts/partials/csp.html
@@ -0,0 +1 @@
+{{ printf `<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; block-all-mixed-content; default-src 'self'; child-src %s; font-src %s; form-action %s; frame-src %s; img-src %s; object-src %s; style-src %s; script-src %s; prefetch-src %s;">` (delimit .Site.Params.csp.childsrc " ") (delimit .Site.Params.csp.fontsrc " ") (delimit .Site.Params.csp.formaction " ") (delimit .Site.Params.csp.framesrc " ") (delimit .Site.Params.csp.imgsrc " ") (delimit .Site.Params.csp.objectsrc " ") (delimit .Site.Params.csp.stylesrc " ") (delimit .Site.Params.csp.scriptsrc " ") (delimit .Site.Params.csp.prefetchsrc " ") | safeHTML }}
\ No newline at end of file

--
Gitblit v1.10.0