spanezz / staticsite

Static site generator
GNU General Public License v3.0
47 stars 7 forks source link

Support for Content-Security-Policy headers #40

Open spanezz opened 4 years ago

spanezz commented 4 years ago

(from a conversation with @DonKult)

The sha256 is for the script-tag livereload inserts. I could just leave that in for production, but sometimes it would be handy to know if we are 'build', 'serve'd or perhaps even 'show'n.

Well, super-ideally livereload would apply that themself although that could become complicated really fast on less static sites.

Oh, interesting problem, that. I haven't yet gained CSP as a habit, shame on me.

Given the amount of monkey patching I had to do on livereload recently (see lepture/python-livereload#214), I've been wondering about ditching it as a dependency and reimplementing that functionality in staticsite. That would integrate well with an extra empty block in the base template that 'ssite serve' could fill with CSP.