toha
toha copied to clipboard
Published
20 hours ago •
hugo-toha
hugo-toha
script in `based.html` can't be executed
Expected Behavior
The script
<script>
theme = localStorage.getItem('theme-scheme') || localStorage.getItem('darkmode:color-scheme') || 'light';
if (theme == 'system') {
if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
theme = 'dark';
} else {
theme = 'light';
}
}
document.documentElement.setAttribute('data-theme', theme);
</script>
included in based.html should be executed, but it isn't.
Current Behavior
davidgs.com/:68 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://app.posthog.com/ *.googletagmanager.com https://cdn.userfront.com https://commento.davidgs.com:8088 *.unpkg.com apis.google.com *.googleapis.com cdn.polyfill.io https://buttons.github.io cdn.jsdelivr.net *.zencdn.net https://cdnjs.cloudflare.com https://*.google-analytics.com https://*.statcounter.com". Either the 'unsafe-inline' keyword, a hash ('sha256-WiE2LPSnZlTiP9NnrQN14OnMKI2ild8fGH0n+PhofS0='), or a nonce ('nonce-...') is required to enable inline execution.
So with no hash, it won't execute (and I'm not enabling unsafe-inline as that's just a bad idea. Can we move this script to a .js file that we can calculate a hash on?
Possible Solution
move all in-line scripts to a proper script file to be included.
Steps to Reproduce
Screenshots
Browsers Affected
- [X] Chrome
- [ ] Firefox
- [ ] Edge
- [X] Safari 11
- [X] Safari 10
- [ ] IE 11
