Open iSatishYadav opened 2 weeks ago
It seems CSP errors can be suppressed by explicitly setting hash-source
value as noted on reported error message.
(Except for style=""
attributes. that is fixed by #10020)
Example CSP error message and how to fix error
index.html:35 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-EqCpmPzzL1OBCKRrI480jhMLWMTYbVQgeZZftbEm4yE='), or a nonce ('nonce-...') is required to enable inline execution.
It need to add 'sha256-EqCpmPzzL1OBCKRrI480jhMLWMTYbVQgeZZftbEm4yE='
hash to script-src
section.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://fonts.googleapis.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.
It need to add 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
hash to style-src
section.
I've confirmed reported CSP errors can be fixed by adding above settings (and PR #10020)
But when using mermaid.js
or Math Expression
Additional CSP errors occurs and needs additional settings.
Hi, is it possible to move the inline JavaScript code present in HTML to a separate JavaScript file? Thai will ensure the CSP errors related to inline scripts can be avoided.
Adding hash afterwards in HTML is not practical in my opinion as:
Please let me know if I'm missing something.
is it possible to move the inline JavaScript code present in HTML to a separate JavaScript file?
Some CSP errors can be suppressed by separating to files.
But there are errors that caused by dependent libraries (e.g. anchor-js
, meramaid.js
)
So these errors needs to be suppressed by specifying hash
to response header,
Okay. Then docfx
itself should add these hashes in the HTML while generating it at the time of docfx build
or docfx serve
.
Okay. Then docfx itself should add these hashes in the HTML while generating it at the time of docfx build or docfx serve.
If Content-Security-Policy
Response Header is set by web server.
It can't override setting by docfx generated HTML side.
As far as I've tested.
When specifying CSP on both Response Header
and <meta>
tag.
It seems Most Restrictive rules are enabled. as described at following link.
https://stackoverflow.com/questions/51148998/what-is-happening-when-i-have-two-csp-content-security-policies-policies-hea
This one can also be resolved by docfx
, right?
<script>
const theme = localStorage.getItem('theme') || 'auto'
document.documentElement.setAttribute('data-bs-theme', theme === 'auto' ? (window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light') : theme)
</script>
For external dependencies, let's take it up with respective libraries.
This one can also be resolved by docfx, right?
Yes. it can be resolved by modifying modern template. As far as I knows following inline scripts need to be modified.
default
template's inline script that reported at #4676
Describe the bug DocFX generated HTML produces following Content Security Policy errors when under restricted CSP e.g.,
self
.index.html:
index.html:
nav.ts:115
Almost of the CSS and JS are in their own files, except for those.
To Reproduce Steps to reproduce the behavior:
Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com
Expected behavior The generated HTML files should not produce any CSP errors. This will ensure the HTML works under secure and restricted environments where tight Content Security Policies have been applied.
Context:
OS: Windows
Docfx version: 2.76.0
.NET version: .NET 8
docfx.json
configPlease let me know if any information I can provide to help. This is my first issue here, please excuse any rookie mistakes.