(CSP) esdoc-publish-html-plugin: add a 'index.html.meta' file

[TriMoon]

To aid in Content Security Policy (CSP) usage by the generated output When using a Apache webserver, you should add these lines in a file named "index.html.meta" and place it alongside the index.html file generated by esdoc" (Alternatively you could also put it inside a "esdoc.meta" file somewhere else and link to it using correct names in-case it is needed by more than one file...)

Content-Security-Policy-Report-Only:
Content-Security-Policy:    default-src 'none'; script-src 'self' 'unsafe-inline';  style-src 'self' 'unsafe-inline' fonts.googleapis.com;  img-src 'self'; font-src 'self' fonts.gstatic.com;  report-uri /server-cgi/csp-violation;

• The first line Content-Security-Policy-Report-Only: will disable your server-wide report-only policy if you are using Header setifempty Content-Security-Policy-Report-Only somewhere in the server configs, like i am. You can skip it/remove it if you don't make use of that functionality.
• The two domains mentioned in 2nd line, are ones used by the generated pages. These two just happen to be the ones used by a default install of esdoc-standard-plugin / esdoc-publish-html-plugin
• The report-uri /server-cgi/csp-violation; should point to your own script that collects csp-violations. You can leave it as-is, to make your browser perform violation reporting. (The script can be an empty file also, just eliminate a 404 from Apache)

The values on the 2nd line could also be put inside the head of the html file with a <meta http-equiv="Content-Security-Policy" content="..."> tag, but you won't be allowed to use the reporting functionality in that case. Besides the server-generated header will take precedence over the one inside a served document. Anyway the file to modify would be between L4-L5 of esdoc-publish-html-plugin/out/src/Builder/template/layout.html Hope this info will be useful to anyone :+1:

[TriMoon]

Ugh it needs to be in ALL generated html files. I will be resorting to generating the header in a .htaccess file instead... Below are the files i'm using now. [Click the arrowed-line to (un)hide] My docs with esdoc reside in a EsDocs and jsdoc reside in a JsDocs directories respectively.

make_docs.sh

```bash #!/usr/bin/env bash function make_es(){ echo "--- Generating EsDocs ---" # rm -Rf EsDocs esdoc ln -s ../docs.htaccess EsDocs/.htaccess } function make_js(){ echo "--- Generating JsDocs ---" # rm -R JsDocs jsdoc -c .jsdoc.json ln -s ../docs.htaccess JsDocs/.htaccess } function usage(){ cat <<-EoUsage Generate documentation Usage: $(basename $0) Where can be: -h = Show this help. -a = All -e = Using esdoc -j = Using jsdoc EoUsage exit } function parse_args(){ # Display usage when no arguments provided test $# -eq 0 && exec $0 -h # Parse commandline options. while getopts "aejh" OPTION; do case $OPTION in 'a') exec $0 -ej ;; 'e') make_es ;; 'j') make_js ;; 'h') usage ;; *) printf "%s.\n" "Error: Unknown argument" exit 2 ;; esac done } parse_args $* # # Editor modelines - https://www.wireshark.org/tools/modelines.html # # Local variables: # c-basic-offset: 4 # tab-width: 4 # indent-tabs-mode: t # End: # # vi: set shiftwidth=4 tabstop=4 noexpandtab: # :indentSize=4:tabSize=4:noTabs=false: # ```

docs.htaccess

```Apache Header unset Content-Security-Policy-Report-Only Header set Content-Security-Policy " \ default-src 'none'; \ script-src 'self' 'unsafe-inline'; \ style-src 'self' 'unsafe-inline' fonts.googleapis.com; \ img-src 'self'; \ font-src 'self' fonts.gstatic.com; \ report-uri /server-cgi/csp-violation; \ " ```