safe inline-script | How to generate nonce in Zola about zola HOT 6 OPEN

No way currently afaik but we could add a random Tera function. Do you want the output to be deterministic or would it ok if all the values generated change and every build?

from zola.

Actually after some testing, it seems even Nonce won't solve the issue either, as it looks like that Zola 'alter' the javascript MIME type?
So the boring details are as follow:
I have created a shortcode for Cactus comments (https://cactus.chat/) that will add comments to the end of my posts, the shortcode is as follows:

<script type="text/javascript" src="https://latest.cactus.chat/cactus.js"></script>
<!-- css in my main css -->
<script>
initComments({
  node: document.getElementById("comment-section"),
  defaultHomeserverUrl: "https://matrix.cactus.chat:8448",
  serverName: "cactus.chat",
  siteName: "Site",
  commentSectionId: `{{ page.permalink | replace(from='http://', to='') | replace(from='https://', to='') | split(pat='/') | slice(start=2) | join(sep='/') | trim_end_matches(pat='/')}}`,
  guestPostingEnabled: false
})
</script>

And this works perfectly fine as long as the CSP isn't blocking any inline (script, img, etc.), which is not something I want, so I made the shortcode as follow, added to the site static directory to matches the policy, and I even added the sha-256 integrity and the hashes to the CSP with script-src 'self' 'sha256-12345..' just to eliminate any issue.

<script src="{{ get_url(path='js/cactus.js', trailing_slash=false, cachebust=true) | safe }}"{%- if config.extra.integrity | default(value=true) %} integrity="sha256-{{ get_hash(path='js/cactus.js', sha_type=256, base64=true) | safe }}"{%- endif %}></script>
<div id="comment-section"></div>
<script src="{{ get_url(path='js/cactus_inline.js', trailing_slash=false, cachebust=true) | safe }}"{%- if config.extra.integrity | default(value=true) %} integrity="sha256-{{ get_hash(path='js/cactus_inline.js', sha_type=256, base64=true) | safe }}"{%- endif %}></script>

Where cactus_inline.js is the little second script above.
And this works in terms of loading the script, however, the browser now see this part as a raw text instead of a variable {{ page.permalink | replace(from='http://', to='') | replace(from='https://', to='') | split(pat='/') | slice(start=2) | join(sep='/') | trim_end_matches(pat='/')}}, which obviously doesn't load any comments because Matrix restrict the ID (or room name) characters. This section is important to have it as a unique ID for each post, else, the comments will be the same in ALL of your posts.

Adding these script in the head section didn't change anything either, changing the default MIME type didn't fix it too, or different type of hash.

So, I suspect it has to do with Zola and how it render/read these variables?

Zola version:
0.18.0

from zola.

Ok as usual, I find the solution minutes after posting any issue :)

The only workaround that worked for me right now, is to keep the script inline (like the first code block) and calculate the hash for it and add it to the CSP script-src.

I will close the issue, but if someone has a better solution later, feel free to add it, I will also make a short blog post on how to install Cactus on Zola for future reference.

from zola.

Unfortunately, reopening it again, it seems indeed Nonce is the only way. The problem with the hash way is you would need to make a hash for each post, and that's due to the fact the variable inside the script will have the post title..
@Keats Can the Nonce be generated for every page load/reload? every build is a little too much, unless you post frequently.

from zola.

@Keats Can the Nonce be generated for every page load/reload? every build is a little too much, unless you post frequently.

We don't have a concept of page load or state between builds so no.
The best solution for ids is still to hardcode it in extra

from zola.