From 5e0cbdd67dbe4c17d635040959133edcc5066aff Mon Sep 17 00:00:00 2001 From: welpo Date: Fri, 15 Mar 2024 15:04:37 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20feat:=20allow=20disabling=20CSP,=20?= =?UTF-8?q?following=20the=20hierarchy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduces new option `enable_csp`, true by default. Can be set on a page, section or globally. --- config.toml | 4 ++++ content/blog/mastering-tabi-settings/index.ca.md | 4 +++- content/blog/mastering-tabi-settings/index.es.md | 4 +++- content/blog/mastering-tabi-settings/index.md | 4 +++- content/blog/security/index.ca.md | 4 +++- content/blog/security/index.es.md | 4 +++- content/blog/security/index.md | 4 +++- templates/page.html | 1 + templates/partials/header.html | 4 +++- theme.toml | 4 ++++ 10 files changed, 30 insertions(+), 7 deletions(-) diff --git a/config.toml b/config.toml index 84af91c21..a5fe953b9 100644 --- a/config.toml +++ b/config.toml @@ -263,6 +263,10 @@ allowed_domains = [ { directive = "frame-src", domains = ["player.vimeo.com", "https://www.youtube-nocookie.com"] }, ] +# Enable the CSP directives configured (or default). +# Can be set at page or section levels, following the hierarchy: page > section > config. See: https://welpo.github.io/tabi/blog/mastering-tabi-settings/#settings-hierarchy +enable_csp = true + # Custom subset of characters for the header. # If set to true, the `static/custom_subset.css` file will be loaded first. # This avoids a flashing text issue in Firefox. diff --git a/content/blog/mastering-tabi-settings/index.ca.md b/content/blog/mastering-tabi-settings/index.ca.md index 97b535c55..b52e44a41 100644 --- a/content/blog/mastering-tabi-settings/index.ca.md +++ b/content/blog/mastering-tabi-settings/index.ca.md @@ -1,7 +1,7 @@ +++ title = "Domina la configuració de tabi: guia completa" date = 2023-09-18 -updated = 2024-02-15 +updated = 2024-03-15 description = "Descobreix les múltiples maneres en què pots personalitzar tabi." [taxonomies] @@ -749,6 +749,8 @@ allowed_domains = [ ] ``` +Aquesta opció està habilitada per defecte. Per desactivar-la per una pàgina, secció o globalment, estableix `enable_csp = false`. La configuració de `enable_csp` segueix la jerarquia. + Per a més informació, consulta la [pàgina de documentació de CSP](/ca/blog/security/). --- diff --git a/content/blog/mastering-tabi-settings/index.es.md b/content/blog/mastering-tabi-settings/index.es.md index 0863c1d55..477062a4e 100644 --- a/content/blog/mastering-tabi-settings/index.es.md +++ b/content/blog/mastering-tabi-settings/index.es.md @@ -1,7 +1,7 @@ +++ title = "Domina la configuración de tabi: guía completa" date = 2023-09-18 -updated = 2024-01-07 +updated = 2024-03-15 description = "Descubre las múltiples maneras en que puedes personalizar tabi." [taxonomies] @@ -749,6 +749,8 @@ allowed_domains = [ ] ``` +Esta función está habilitada por defecto. Para deshabilitarla (y permitir todo), configura `enable_csp = false` en una página, sección o globalmente. La opción `enable_csp` sigue [la jerarquía](#jerarquia-de-configuracion). + Para obtener más información, consulta la [página de documentación de CSP](/es/blog/security/). --- diff --git a/content/blog/mastering-tabi-settings/index.md b/content/blog/mastering-tabi-settings/index.md index 88c5d1472..d4300f5d3 100644 --- a/content/blog/mastering-tabi-settings/index.md +++ b/content/blog/mastering-tabi-settings/index.md @@ -1,7 +1,7 @@ +++ title = "Mastering tabi Settings: A Comprehensive Guide" date = 2023-09-18 -updated = 2024-01-07 +updated = 2024-03-15 description = "Discover the many ways you can customise your tabi site." [taxonomies] @@ -754,6 +754,8 @@ allowed_domains = [ ] ``` +This feature is enabled by default. To disable it (and allow all connections), set `enable_csp = false` on a page, section or globally. The `enable_csp` setting follows the [hierarchy](#settings-hierarchy). + See the [CSP documentation page](/blog/security/) for more information. --- diff --git a/content/blog/security/index.ca.md b/content/blog/security/index.ca.md index 94ab1e621..c56744d55 100644 --- a/content/blog/security/index.ca.md +++ b/content/blog/security/index.ca.md @@ -1,7 +1,7 @@ +++ title = "Seguretat per defecte" date = 2023-02-22 -updated = 2023-09-29 +updated = 2024-03-15 description = "tabi té una Política de Seguretat de Contingut (CSP) fàcilment personalitzable amb valors segurs per defecte. Obtingues tranquil·litat i un A+ en l'Observatori de Mozilla." [taxonomies] @@ -30,6 +30,8 @@ La llista `allowed_domains` especifica les URLs a les quals el lloc web hauria d Aquesta funcionalitat permet personalitzar fàcilment les capçaleres de seguretat del lloc web per permetre casos d'ús específics, com ara inserir vídeos de YouTube, carregar scripts o tipografies remotes ([no recomanat](https://www.albertovarela.net/blog/2022/11/stop-using-google-fonts/)). +Pots desactivar les capçaleres (permitint-ho tot) en una pàgina, secció, o globalment configurant `enable_csp = false` en el front matter o en el fitxer `config.toml`. + **Nota**: [habilitar els comentaris](@/blog/comments/index.ca.md) o [les analítiques](@/blog/mastering-tabi-settings/index.ca.md#analisi-web) automàticament permet scripts/frames/estils/connexions en funció del servei habilitat. [^1]: Requereix una configuració adequada del servidor web (p. ex., redirigir el trànsit HTTP a HTTPS). diff --git a/content/blog/security/index.es.md b/content/blog/security/index.es.md index 3a6763f8d..8ba92cfe2 100644 --- a/content/blog/security/index.es.md +++ b/content/blog/security/index.es.md @@ -1,7 +1,7 @@ +++ title = "Seguro por defecto" date = 2023-02-22 -updated = 2023-09-29 +updated = 2024-03-15 description = "tabi tiene una Política de Seguridad de Contenido (CSP) fácilmente personalizable con configuraciones seguras. Obtén tranquilidad y una calificación de A+ en Mozilla Observatory." [taxonomies] @@ -30,6 +30,8 @@ La lista `allowed_domains` especifica las URL a las que el sitio web debería po Esta función permite personalizar fácilmente las cabeceras de seguridad del sitio web para permitir casos de uso específicos, como la incrustación de videos de YouTube, la carga de scripts o fuentes remotas ([no recomendado](https://www.albertovarela.net/blog/2022/11/stop-using-google-fonts/)). +Puedes desactivar las cabeceras (permitiendo todo) en una página, sección, o globalmente configurando `enable_csp = false` en el front matter o en el archivo `config.toml`. + **Nota**: [habilitar los comentarios](@/blog/comments/index.es.md) o [las analíticas](@/blog/mastering-tabi-settings/index.es.md#analisis-web) automáticamente permite scripts/frames/estilos/conexiones en función del servicio habilitado. [^1]: Requiere una configuración adecuada del servidor web (por ejemplo, redirigir el tráfico HTTP a HTTPS). diff --git a/content/blog/security/index.md b/content/blog/security/index.md index b566e79db..a9b167e50 100644 --- a/content/blog/security/index.md +++ b/content/blog/security/index.md @@ -1,7 +1,7 @@ +++ title = "Secure by default" date = 2023-02-22 -updated = 2023-09-29 +updated = 2024-03-15 description = "tabi has an easily customizable Content Security Policy (CSP) with safe defaults. Get peace of mind and an A+ on Mozilla Observatory." [taxonomies] @@ -30,6 +30,8 @@ The `allowed_domains` list specifies the URLs that the website should be able to This feature allows you to easily customize the website's security headers to allow for specific use cases, such as embedding YouTube videos, loading scripts or remote fonts ([not recommended](https://www.albertovarela.net/blog/2022/11/stop-using-google-fonts/)). +You can disable the CSP (allowing all connections) on a page, section, or globally by setting `enable_csp = false` in the front matter or `config.toml` file. + **Note**: [enabling comments](@/blog/comments/index.md) or [analytics](@/blog/mastering-tabi-settings/index.md#analytics) automatically allows scripts/frames/styles/connections as needed from the respective services. [^1]: Requires proper webserver configuration (e.g. redirecting HTTP traffic to HTTPS). diff --git a/templates/page.html b/templates/page.html index 2e9f72237..c875baea7 100644 --- a/templates/page.html +++ b/templates/page.html @@ -25,6 +25,7 @@ "show_previous_next_article_links", "invert_previous_next_article_links", "previous_next_article_links_full_width", + "enable_csp", ] %} diff --git a/templates/partials/header.html b/templates/partials/header.html index 0ab0c3ce1..8b82ddf7f 100644 --- a/templates/partials/header.html +++ b/templates/partials/header.html @@ -143,7 +143,9 @@ - {%- include "partials/content_security_policy.html" -%} + {%- if macros_settings::evaluate_setting_priority(setting="enable_csp", page=page | default(value=""), section=section | default(value=""), default_global_value="true") == "true" -%} + {%- include "partials/content_security_policy.html" -%} + {%- endif -%} {%- if config.extra.theme_switcher and config.extra.theme_switcher == true -%} {# If JavaScript is disabled, hide the button. #} diff --git a/theme.toml b/theme.toml index 8d1e1d371..53a2c054c 100644 --- a/theme.toml +++ b/theme.toml @@ -218,6 +218,10 @@ allowed_domains = [ { directive = "frame-src", domains = ["player.vimeo.com", "https://www.youtube-nocookie.com"] }, ] +# Enable the CSP directives configured (or default). +# Can be set at page or section levels, following the hierarchy: page > section > config. See: https://welpo.github.io/tabi/blog/mastering-tabi-settings/#settings-hierarchy +enable_csp = true + # Custom subset of characters for the header. # If set to true, the `static/custom_subset.css` file will be loaded first. # This avoids a flashing text issue in Firefox.