bootmark icon indicating copy to clipboard operation
bootmark copied to clipboard
verified publisher icon obedm503

static package compliant with CSP

Open oupala opened this issue 7 years ago • 7 comments

Bootmark is great for a common usecase but it doesn't work with restrictive CSP (Content Security Policies) or when a document is used into an intranet without access to the internet.

The problem is that bootmark is downloading many resources from the internet:

  • https://unpkg.com/[email protected]/dist/bootmark.bundle.min.js
  • https://maxcdn.bootstrapcdn.com/bootswatch/3.3.7/united/bootstrap.min.css
  • https://unpkg.com/[email protected]/dist/bootmark.min.css
  • https://jmblog.github.io/color-themes-for-google-code-prettify/themes/atelier-forest-light.min.css
  • https://fonts.googleapis.com/css?family=Ubuntu:400,700
  • https://fonts.gstatic.com/s/ubuntu/v12/4iCs6KVjbNBYlgoKfw72.woff2
  • https://fonts.gstatic.com/s/ubuntu/v12/4iCv6KVjbNBYlgoCxCvjsGyN.woff2

It would be great if bootmark could have a static package with all resources embedded.

This could be useful with restrictive CSP, and when no access to the internet (ie. a classroom for trainings).

Any though about that?

oupala avatar Oct 09 '18 20:10 oupala

There is already 2 bundle files a js and a css which should include everything but the fonts

obedm503 avatar Oct 10 '18 02:10 obedm503

Are you talking about these resources?

  • bootmark.bundle.min.js
  • bootmark.min.css

If yes, how can I use it? When I include bootmark.bundle.min.js, it is still loading the following resources:

  • https://maxcdn.bootstrapcdn.com/bootswatch/3.3.7/united/bootstrap.min.css
  • https://unpkg.com/[email protected]/dist/bootmark.min.css
  • https://jmblog.github.io/color-themes-for-google-code-prettify/themes/atelier-forest-light.min.css
  • https://fonts.googleapis.com/css?family=Ubuntu:400,700

Can you please tell me how to use the bundle version of bootmark?

oupala avatar Oct 10 '18 08:10 oupala

for the moment this is outside the scope of this project.

When I created this I needed a super quick and easy way to show documentation for other projects. I pipe source code through jsdoc2md to generate markdown and give that markdown to bootmark to give me a better looking version in a browser. Emphasis on easy. I decided to let bootmark handle anything related to displaying the content. So, it dynamically loads all those files related to themes and the such. (This might change in a future version because I would like to leave jquery and move to a custom element.)

I suppose you could work around the issue by downloading those files yourself and linking them in the <head>. Of course because of CSP when bootmark tries to load the it would wail, but that is ok if you have local copies already.

obedm503 avatar Oct 11 '18 04:10 obedm503

I understand the way you created bootmark: fast and easy to use.

I already agree that the workaround you propose works, although it will still raise CSP errors (which is bad, as it becomes hard to make a difference between real errors, and normal errors).

But I'll be glad if you can add this inside the scope of this project.

oupala avatar Oct 12 '18 11:10 oupala

CSP can also block some operations, such as eval:

Error: call to eval() blocked by CSP

And this time, there is no workaround by copying resources.

Can you tell me what are eval() calls for?

oupala avatar Oct 12 '18 19:10 oupala

it's a hack to parse objects from attributes https://github.com/obedm503/bootmark/blob/master/src/bootmark.js#L259

obedm503 avatar Oct 13 '18 02:10 obedm503

Ok. That will be a point to take in account when it'll be time to comply CSP rules.

Unfortunately, I'll have to stick with the unmaintained strapdown for the moment as my hoster has strict CSP rules enabled.

Thanks anyway for making and maintaining bootmark!

oupala avatar Oct 13 '18 09:10 oupala