fix: move csp rule (#393)

imbajin · web-flow · commit 14fc1f7a6af0 · 2025-02-14T16:52:04.000+08:00
diff --git a/themes/docsy/layouts/_default/baseof.html b/themes/docsy/layouts/_default/baseof.html
@@ -1,12 +1,6 @@
 <!doctype html>
 <html lang="{{ .Site.Language.Lang }}" class="no-js">
   <head>
-      <!-- To handle CSP policy -->
-      <meta http-equiv="Content-Security-Policy"
-            content="script-src 'self' 'unsafe-inline' 'unsafe-eval' https://code.jquery.com https://cdn.jsdelivr.net https://fonts.googleapis.com/;
-                    style-src 'self' 'unsafe-inline' https://code.jquery.com https://cdn.jsdelivr.net https://fonts.googleapis.com/;
-                    font-src 'self' https://cdn.jsdelivr.net;
-                    img-src 'self' data:">
     {{ partial "head.html" . }}
   </head>
   <body class="td-{{ .Kind }}{{ with .Page.Params.body_class }} {{ . }}{{ end }}">
diff --git a/themes/docsy/layouts/partials/head.html b/themes/docsy/layouts/partials/head.html
@@ -1,5 +1,11 @@
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+<!-- To handle CSP policy -->
+<meta http-equiv="Content-Security-Policy"
+      content="
+      script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org https://code.jquery.com https://cdn.jsdelivr.net https://fonts.googleapis.com/;
+      style-src 'self' 'unsafe-inline' https://code.jquery.com https://cdn.jsdelivr.net https://fonts.googleapis.com/;
+">
 {{ hugo.Generator }}
 {{ range .AlternativeOutputFormats -}}
 <link rel="{{ .Rel }}" type="{{ .MediaType.Type }}" href="{{ .Permalink | safeURL }}">
