Improve docs for how to modify the CSP (google#110)

hlnb · Oct 9, 2021 · f66b940 · f66b940
1 parent 676789e
commit f66b940
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -138,7 +138,7 @@ npm run build
 
 ### Security
 
-Generates a strong CSP for the base template.
+Generates a strong [Content-Security-Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) for the base template.
 
 - Default-src is self.
 - Disallows plugins.

diff --git a/_data/csp.js b/_data/csp.js
@@ -36,6 +36,7 @@ const CSP = {
     // No plugins
     ["object-src", quote("none")],
     // Script from same-origin and inline-hashes.
+    // If you need to add an external host for scripts you need to add an item like 'https://code.jquery.com/jquery-3.6.0.slim.min.js' to this list.
     ["script-src", SELF, /* Replaced by csp.js plugin */ "HASHES"],
     // Inline CSS is allowed.
     ["style-src", quote("unsafe-inline")],

diff --git a/_includes/layouts/base.njk b/_includes/layouts/base.njk
@@ -8,6 +8,7 @@
   <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <!-- See _data/csp.js for how to add to the CSP. -->
     <meta http-equiv="Content-Security-Policy" content="{{ csp.regular | safe }}">
     {% if isdevelopment %}
     <link rel="icon" href="/favicon.svg" type="image/svg+xml">