search

hugo-toha / toha

A Hugo theme for personal portfolio
https://hugo-toha.github.io
MIT License
1.05k stars 605 forks source link

script in `based.html` can't be executed #1002

Open davidgs opened 1 month ago

davidgs commented 1 month ago

Expected Behavior

The script

<script>
    theme = localStorage.getItem('theme-scheme') || localStorage.getItem('darkmode:color-scheme') || 'light';
    if (theme == 'system') {
      if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
        theme = 'dark';
      } else {
        theme = 'light';
      }
    }
    document.documentElement.setAttribute('data-theme', theme);
  </script>

included in based.html should be executed, but it isn't.

Current Behavior

davidgs.com/:68 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://app.posthog.com/ *.googletagmanager.com https://cdn.userfront.com https://commento.davidgs.com:8088  *.unpkg.com apis.google.com *.googleapis.com cdn.polyfill.io https://buttons.github.io  cdn.jsdelivr.net *.zencdn.net https://cdnjs.cloudflare.com https://*.google-analytics.com https://*.statcounter.com". Either the 'unsafe-inline' keyword, a hash ('sha256-WiE2LPSnZlTiP9NnrQN14OnMKI2ild8fGH0n+PhofS0='), or a nonce ('nonce-...') is required to enable inline execution.

So with no hash, it won't execute (and I'm not enabling unsafe-inline as that's just a bad idea. Can we move this script to a .js file that we can calculate a hash on?

Possible Solution

move all in-line scripts to a proper script file to be included.

Steps to Reproduce

Screenshots

Browsers Affected

Detailed Description

davidgs commented 1 month ago

I'm working on a fix for this and all other 'in-line' scripts which will fail with a Content-Security policy that does not allow unsafe-inline

davidgs commented 1 month ago

Addressed in #1004