|
> Not sure where Zola can fit dynamic CSP mechanics, but there might be a solution one day: https://www.netlify.com/blog/general-availability-content-se... That’s how I got it to work yesterday, Netlify apparently has a dynamic and Nonce generator per request, which is something Zola don’t and won’t have unless you have the nonce hardcoded which is useless. > might have figured out how to deploy Cactus with a strict CSP. It can't find the room tho, even when I deploy following the official guide, so this looks like something on their end (waiting for confirmation) True the room thing didn’t show up for me.
Looking at your repo, I see you have it in your head as a meta tag, not the toml file, interesting approach, I can see how there’s an advantage of that since you have more control with variables, but I found that if you scan your site for CSP headers, none of them shows up, not sure if that’s a good or bad thing, nonetheless, will try it and compare it to the nonce way for a while see which one is better, thanks for sharing it! > It's actually pretty handy; it makes the directory structure cleaner, and asset access is more direct within post pages. Exactly, it was going to be a deal breaker for me when I migrated to Zola around a year ago, having all assets in one directory is just chaotic. |
Some scanners ignore them in the meta tag, looking only at HTTP headers (just like some browsers). I thought Netlify would merge meta CSP into an HTTP header, but it seems like this is not the case.