static package compliant with CSP

[oupala]

Bootmark is great for a common usecase but it doesn't work with restrictive CSP (Content Security Policies) or when a document is used into an intranet without access to the internet.

The problem is that bootmark is downloading many resources from the internet:

• https://unpkg.com/bootmark@0.8.0/dist/bootmark.bundle.min.js
• https://maxcdn.bootstrapcdn.com/bootswatch/3.3.7/united/bootstrap.min.css
• https://unpkg.com/bootmark@0.8.0/dist/bootmark.min.css
• https://jmblog.github.io/color-themes-for-google-code-prettify/themes/atelier-forest-light.min.css
• https://fonts.googleapis.com/css?family=Ubuntu:400,700
• https://fonts.gstatic.com/s/ubuntu/v12/4iCs6KVjbNBYlgoKfw72.woff2
• https://fonts.gstatic.com/s/ubuntu/v12/4iCv6KVjbNBYlgoCxCvjsGyN.woff2

It would be great if bootmark could have a static package with all resources embedded.

This could be useful with restrictive CSP, and when no access to the internet (ie. a classroom for trainings).

Any though about that?

[obedm503]

There is already 2 bundle files a js and a css which should include everything but the fonts

[oupala]

Are you talking about these resources?

• bootmark.bundle.min.js
• bootmark.min.css

If yes, how can I use it? When I include bootmark.bundle.min.js, it is still loading the following resources:

• https://maxcdn.bootstrapcdn.com/bootswatch/3.3.7/united/bootstrap.min.css
• https://unpkg.com/bootmark@0.8.0/dist/bootmark.min.css
• https://jmblog.github.io/color-themes-for-google-code-prettify/themes/atelier-forest-light.min.css
• https://fonts.googleapis.com/css?family=Ubuntu:400,700

Can you please tell me how to use the bundle version of bootmark?

[obedm503]

for the moment this is outside the scope of this project.

When I created this I needed a super quick and easy way to show documentation for other projects. I pipe source code through jsdoc2md to generate markdown and give that markdown to bootmark to give me a better looking version in a browser. Emphasis on easy. I decided to let bootmark handle anything related to displaying the content. So, it dynamically loads all those files related to themes and the such. (This might change in a future version because I would like to leave jquery and move to a custom element.)

I suppose you could work around the issue by downloading those files yourself and linking them in the <head>. Of course because of CSP when bootmark tries to load the it would wail, but that is ok if you have local copies already.

[oupala]

I understand the way you created bootmark: fast and easy to use.

I already agree that the workaround you propose works, although it will still raise CSP errors (which is bad, as it becomes hard to make a difference between real errors, and normal errors).

But I'll be glad if you can add this inside the scope of this project.

[oupala]

CSP can also block some operations, such as eval:

Error: call to eval() blocked by CSP

And this time, there is no workaround by copying resources.

Can you tell me what are eval() calls for?

[obedm503]

it's a hack to parse objects from attributes https://github.com/obedm503/bootmark/blob/master/src/bootmark.js#L259

[oupala]

Ok. That will be a point to take in account when it'll be time to comply CSP rules.

Unfortunately, I'll have to stick with the unmaintained strapdown for the moment as my hoster has strict CSP rules enabled.

Thanks anyway for making and maintaining bootmark!