search

luizdepra / hugo-coder

A minimalist blog theme for hugo.
MIT License
2.74k stars 1.07k forks source link

Utterances Requires inline-script CSP Access #898

Open micchickenburger opened 8 months ago

micchickenburger commented 8 months ago

Describe the problem:

Commit 9ea82c5c8247d4dd220e7441be645acc00e8cf29 change Utterances script load logic to support changing between light and dark modes. However, this uses an inline script. This inline script will not execute unless the site's Content Security Policy allows inline-script, which is generally not considered a good idea.

Steps to reproduce:

  1. Configure utterances
  2. Implement a content security policy without inline-script access

One possible workaround might be to load this as an external script, using whatever Hugo uses for generating the integrity values on script elements.

micchickenburger commented 8 months ago

Actually, we might be able to revert back to the original code altogether. That's what I did in my site, and take a look: Changing the theme from light to dark works just fine for utterances. https://www.micah.soy/posts/introduction-to-cryptography-blade-runner-style/