From 71b44f869dc2f1c83be5d1c257019a90276075d6 Mon Sep 17 00:00:00 2001 From: SimonLab Date: Tue, 7 Feb 2023 10:29:50 +0000 Subject: [PATCH] Place CSP in root.html Place the content security policy in root to make it easier to find it. Update BUILDIT with documentation --- BUILDIT.md | 39 ++++++++++++++++++++ lib/app_web/templates/layout/icons.html.heex | 11 ------ lib/app_web/templates/layout/root.html.heex | 11 ++++++ 3 files changed, 50 insertions(+), 11 deletions(-) diff --git a/BUILDIT.md b/BUILDIT.md index 9d9ea190..e02ebb41 100644 --- a/BUILDIT.md +++ b/BUILDIT.md @@ -1785,6 +1785,17 @@ file and replace the contents with the following: + <%= live_title_tag assigns[:page_title] || "dwyl mvp"%> <%= render "icons.html" %> @@ -1827,6 +1838,34 @@ file and replace the contents with the following: ``` +Note that we are defining a content security policy with: + +```html + +``` + +This defines who can run scripts, forms, style css and images on the browser. + +The `default-src` value is used by default when the [fetch directives](https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive) +are not specified. + +For scripts we want to allow `cloudfare` (used for cdn) and [`plausible`](https://plausible.io/) used +as an alternative to Google Analytics, to run javascript scripts. + +The `self` value allows the server itself (the Phoenix application) to run scripts. + +Read more about content security policy at https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + ## 8.2 Create the `icons` template To make the App more Mobile-friendly, diff --git a/lib/app_web/templates/layout/icons.html.heex b/lib/app_web/templates/layout/icons.html.heex index c738f7b9..c26826c2 100644 --- a/lib/app_web/templates/layout/icons.html.heex +++ b/lib/app_web/templates/layout/icons.html.heex @@ -1,16 +1,5 @@ - + <.live_title prefix="dwyl – "> <%= assigns[:page_title] || "mvp" %>