esdoc-plugins
esdoc-plugins copied to clipboard
esdoc
(CSP) esdoc-publish-html-plugin: add a 'index.html.meta' file
To aid in Content Security Policy (CSP) usage by the generated output When using a Apache webserver, you should add these lines in a file named "index.html.meta" and place it alongside the index.html file generated by esdoc" (Alternatively you could also put it inside a "esdoc.meta" file somewhere else and link to it using correct names in-case it is needed by more than one file...)
Content-Security-Policy-Report-Only:
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self'; font-src 'self' fonts.gstatic.com; report-uri /server-cgi/csp-violation;
- The first line
Content-Security-Policy-Report-Only:will disable your server-wide report-only policy if you are usingHeader setifempty Content-Security-Policy-Report-Onlysomewhere in the server configs, like i am. You can skip it/remove it if you don't make use of that functionality. - The two domains mentioned in 2nd line, are ones used by the generated pages. These two just happen to be the ones used by a default install of esdoc-standard-plugin / esdoc-publish-html-plugin
- The
report-uri /server-cgi/csp-violation;should point to your own script that collects csp-violations. You can leave it as-is, to make your browser perform violation reporting. (The script can be an empty file also, just eliminate a 404 from Apache)
The values on the 2nd line could also be put inside the head of the html file with a <meta http-equiv="Content-Security-Policy" content="..."> tag, but you won't be allowed to use the reporting functionality in that case.
Besides the server-generated header will take precedence over the one inside a served document.
Anyway the file to modify would be between L4-L5 of esdoc-publish-html-plugin/out/src/Builder/template/layout.html
Hope this info will be useful to anyone :+1:
Ugh it needs to be in ALL generated html files.
I will be resorting to generating the header in a .htaccess file instead...
Below are the files i'm using now. [Click the arrowed-line to (un)hide]
My docs with esdoc reside in a EsDocs and jsdoc reside in a JsDocs directories respectively.
make_docs.sh
#!/usr/bin/env bash
function make_es(){
echo "--- Generating EsDocs ---"
# rm -Rf EsDocs
esdoc
ln -s ../docs.htaccess EsDocs/.htaccess
}
function make_js(){
echo "--- Generating JsDocs ---"
# rm -R JsDocs
jsdoc -c .jsdoc.json
ln -s ../docs.htaccess JsDocs/.htaccess
}
function usage(){
cat <<-EoUsage
Generate documentation
Usage: $(basename $0) <opts>
Where <opts> can be:
-h = Show this help.
-a = All
-e = Using esdoc
-j = Using jsdoc
EoUsage
exit
}
function parse_args(){
# Display usage when no arguments provided
test $# -eq 0 && exec $0 -h
# Parse commandline options.
while getopts "aejh" OPTION; do
case $OPTION in
'a') exec $0 -ej ;;
'e') make_es ;;
'j') make_js ;;
'h') usage ;;
*)
printf "%s.\n" "Error: Unknown argument"
exit 2
;;
esac
done
}
parse_args $*
#
# Editor modelines - https://www.wireshark.org/tools/modelines.html
#
# Local variables:
# c-basic-offset: 4
# tab-width: 4
# indent-tabs-mode: t
# End:
#
# vi: set shiftwidth=4 tabstop=4 noexpandtab:
# :indentSize=4:tabSize=4:noTabs=false:
#
docs.htaccess
<IfModule headers_module>
<FilesMatch "\.html$">
Header unset Content-Security-Policy-Report-Only
Header set Content-Security-Policy " \
default-src 'none'; \
script-src 'self' 'unsafe-inline'; \
style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
img-src 'self'; \
font-src 'self' fonts.gstatic.com; \
report-uri /server-cgi/csp-violation; \
"
</FilesMatch>
</IfModule>