Move most styles/scripts out of line and try to combine them where possible

[servedsmart]

Hi,

When trying to implement a content security policy I've noticed that it is quite hard to stay below some limits imposed by Cloudflare. As far as I know, other providers also impose limits on HTTP headers and I can't find any documentation for what that limit is exactly for Cloudflare.

This currently is the result of me using bash scripts to find inline and out of line styles/scripts and generating hashes for them:

default-src 'none'; script-src 'self' 'strict-dynamic' 'sha256-RaMd9dtmRwlPO1jQi0xHOpQglREf84Yvzn0iqHkEaDw=' 'sha256-zEXwD84U2muXEDiQQeoUgnYnb9GMmQlYQ7rQuufBaBU=' 'sha256-90WvQqvXymr4/XtEn+zxTvZ5bAmi5ZErQ7HW+cA+zVE=' 'sha256-0Fq+qTz3BHSZDgQy9UG6ZhZ16U2ap2aw01Rs0Z77URU=' 'sha256-Z6Pc2IeS0jzFrJLoMZzKMUpb2YILUZzAXFn1hk4FXJQ=' 'sha256-+LelfDsR1+p1jAIPmbQXAxwfpxDY5kIcnXYdECkum38=' 'sha256-eXm1zg+I430HTGuuTy2kzfuq9+5dthcHToqVSgSKcs8=' 'sha256-6NKD0C83kQll27b/01E+9IWDDj9xHZnuquFNElZpMK4=' 'sha256-bvGMEFvqKsqVkcw7FTjpu8kVEeDTe4WrMQ9iOcEIVuY=' 'sha256-XLjAHMsZmt/iNaL3AQyLI33akWkfno2zzcnuazNq/Dg=' 'sha256-6nwHXHn5pQDwZE12jJ3gC7dfFLt1P1fRFv472+qMoMc=' 'sha256-w3n9eaO14JrNiunaiMa4Zm0jH5VaHh+o+xRswtoBnz8=' 'sha256-PMED6a5G4bYGKUNrT5km8wk6F2b95vlr9YcPmmAZgkY=' 'sha256-ZtkZvadn1za3tkztnd3SGMHwJEZggw45Cm1P/SJx3sM=' 'sha256-YYUzKf+c5taTBAjdtDMW7Tr6TywYNPxYhYaNzUdPzn0=' 'sha256-/zXEsMMy1IWK+2lS1tYwhYeo7blfxEQSLxCNqjBTYTU=' 'sha256-kX1Snamf+wPka6byoOtz1jExhdySxOb06P+4KosuM7U=' 'sha256-u0LuUbBDMluMlD7MjkG7shM515B8kkhKHEYxpr4GEN0=' 'sha256-qkPqFi1GTTxw0p/ODU5Ukvkw0jtFBKO6JBOC460eWao=' 'sha256-8D+2sS872C/PMMACW3xV4u69kTeiMGWR+ZBB/URtopY=' 'sha256-hRAfwJohZ9Wb8v4qre5o8hJ2NibHdktOxi7izMl/XK4=' 'sha256-6x0u9aGACKOgnzmoHnlLcc56hAs5CDb6JdgmEQV9ACY=' 'sha256-Uv4MWnKLhd6nUD53oEAdN1KjowtRRtbH7+9QBoWAtiE=' 'sha256-lHlDn9extWU9mh9zd23EK6uMh7nUQOu1NZmPIScShQ4=' 'sha256-i2WJZbpMD7Ey3//Y733LM2sCpXN5HcaOCbB3L6LedTA=' 'sha256-wAcPMSYeUZhqFuE97B92GeBqNfOS3pw8chjkRhXsGQg=' 'sha256-Y9s4Wm5K3jWL0m40rBbToiDWGAoPqEYac6SuP81RiZw=' 'sha256-UPbvJT1UhEN7uvogxHSfNCnhelFrR7COiPO5tYpahCw=' 'sha256-sdi8eeVLUXj2QnLxLN4jv7TW1Esn5DqcJhR5HftvcY0=' 'sha256-aEdbXKLZafs1BSkmovll9ffpJvanx/RH8/LmghkCbbs=' 'sha256-jClLATKWishnhVZ3wG/jgNKWlHUKmBiZAYmbvt6Vcxc=' 'sha256-qpdFiha7kMeih4VFlh9ZKP10xlCvt/AUkfNGjIpmFgs=' 'sha256-kmHvs0B+OpCW5GVHUNjv9rOmY0IvSIRcf7zGUDTDQM8=' 'sha256-YLUhRPwf8qakrsxPVieClSMeP1yiuugKD09WsZO9mw8=' 'sha256-BIpAt3hGcK1KZlQPoIpyh6+o9dWTH/fIgBJqmI+g4DU=' 'sha256-L2hUzUiRlrpx70wNUflZ8bg0TkPjqaA6bvN8DaGz2jo=' 'sha256-dMRnMz4cRykSQTWgpeTIME7pUp5hvzj2YfpeBE6gIa8=' 'sha256-fZcbldJSFs92r6HnBmVfgM1igqowK2IZyTyW/DTLfb0=' 'sha256-XfM69o4ynwOwNrh7mz1z35tp3M16Z69V1RoCft9uxes=' 'sha256-nokCReqnor32aYk8kmwgpmPpjTWAR+yZdbD/AbeCprw=' 'sha256-f3d+mbPqs6J+o6P6aVlnhTphQmTfjtrAHDN6zluH6fg=' 'sha256-w3vZgqlY0/3mhUTaiEZvq8Tjw0Vs3O298QEhSvy1nFA=' 'sha256-P9S37/Yb71bqouKgcqMEOnyM88IZ3ipuWOlkb6zvSlk=' 'sha256-wUvdUaE/L1Ov7e6szHd9CqQYoEOcjhm4K+9KHVGwFIw=' 'sha256-nnusg2ftNF48ua0dJjbf2VYVUEHDUrf89NAjiAU9n5E=' 'sha256-ZgMyDAIYDYGxbcpJcfUnYwNevG/xi9OHKaR/8GK+jWc=' 'sha256-2/QwLkEFhcTLmZErWVJ3YAo/H1HoE3XvgoeO3vEtuec=' 'sha256-5ppWNbJbI5g2X3d6Vqyt8PdhGSP12oCUCpF0w3Zxt+8='; style-src 'self' 'unsafe-hashes' 'sha256-ZosD8btDHQlTWUpndM6XkejgbPXnDVNKWw5td8MzesA=' 'sha256-+Vsd7gVfMgi5mf2D6cnjYMque7ZcqbcY5IaqaX9+J5M=' 'sha256-A9twP7v7vXHTPnnLD6cM9W185kvzm5tANfQb+m1TzFc=' 'sha256-gNhKdzxI7jUuNzfTGU3ZF5LtL34gfS0BDyFsHad+2vY=' 'sha256-TW/gcsd7uyuBlpYSzeO4vH5rxqhGvWx9TADcQOrvmGc=' 'sha256-gAV6EQG1z8VkUc/YNtQMXGsyzTXPYeygrDxVj9GJykw=' 'sha256-q3nqK4VzeI/SowYCYQ/tCfo056B/JMutuSpzbJbHczk=' 'sha256-Bh4yF2YD9aZR7T/hu9oXi6oZY9Kqs1TdpI6Bwl98p2E=' 'sha256-r84tTOK651ihfSZAhMZU4bdoGbmPmu1frS9jnGWr764=' 'sha256-EG4wgQeBpx8S8jO5m/t6TxiPvRdnf7ERS9nHyrZ+tKM=' 'sha256-SAagJ834SVxYegIpmVtMFvvfNCOIsjAkc4ymwNGIHWg=' 'sha256-uUgCO4ut8AKJE832AIFihXc/NMnRg0Flg+46oaGmSOc=' 'sha256-eAWoi7MroEsdWIQbiO1xGoFs6KKsOigqFu69tob5EPw=' 'sha256-WXXGV1H/2SgQ3M+Br6KAxPFKFkUXI0hD8kAw1XgQeqE=' 'sha256-7YekoDz/Y7O/FUo4YYFtVYeRIuWcNZL88gpg5u/ONFk=' 'sha256-aArDYkznexeQo73IIqNPqeGU8T+8EmOammEEW5TaFp4=' 'sha256-bQ1fAvhdDuASAQ8tp2bGSh/lI7DRqRvMrbGqez2YvlA=' 'sha256-kUn5ImuXX5cy/JNHKykuvUvuz45V4RoXappdXqs5qNk=' 'sha256-34ocX6Soo1+hG6Rxs7ZylcECEDtf+mWYorFHj4Nf/9s=' 'sha256-c0mflgxOL5VZ09xhE03s83AnGQG1MXcguSwZ/cG+PGM=' 'sha256-0pZgK08Mu2DJ2kDkLyeqgKAcJAzLnmElh4VBsHU6rkE=' 'sha256-5uAO5M0nmtInubqlPqRYoJS4szgWoyMi8h2fgJm0Zys='; img-src 'self' blob: data:; object-src 'none'; media-src 'self'; frame-src 'self' https://www.youtube-nocookie.com; child-src 'self' https://www.youtube-nocookie.com; form-action 'self'; frame-ancestors 'none'; manifest-src 'self';; base-uri 'self'; upgrade-insecure-requests

For anyone interested, here is my current CI/CD generating these policies. And this is it failing. I btw couldn't find documentation on what code 20087 means but every time the CSP is over 4k chars it has been rejected so far.

The CSP alone is 4145 characters. This contains all inline scripts/styles and also all out of line scripts (because of 'strict-dynamic') that are generated in ./public. My site however is actually very simple. It has almost no text content, doesn't use any shortcodes like youtube embed etc.
So for a larger site that character count increases. I have noticed this with a repo of example sites where they all have different content. This is an example for a full HTTP PUT/POST request to Cloudflare API for these sites.
Since you can't go below sha256 that means it is impossible to implement a CSP that doesn't violate these restrictions on HTTP header size.
This btw uses a theme already merging #2194 and #2196.

Since I have not really contributed anything to this project yet, I don't want to just start moving everything out of line and upset someone. I am also not that familiar with the codebase.

Therefore I am asking:

Would you approve of moving scripts/styles out of line and trying to combine them to allow somewhat strict CSPs that can be deployed to for example Cloudflare?

[servedsmart]

Just a sidenote, this is of course no request to change anything it is just a remark and I think there is at least some value in enabling people to implent strict CSPs even on a static site. It however is at least somewhat unnecessary compared to for example Wordpress etc. but that doesn't mean it isn't a good idea to do it if possible.

Also thank you very much to everyone that has worked on this awesome project! The theme is what got me motivated to start with Hugo.

[servedsmart]

After merging #2209 and merging #2196 to my own site (instead of the theme) this is the full HTTP PUT/POST request to Cloudflare API. Now everything is below 4k chars (Max 3442 chars). There is still a lot of room for improvement though.

[servedsmart]

After merging #2211 aswell, the CSP is down to 3010 chars with (this should be clear, but of course only for that very simple site) with only very few hashes remaining in 'style-src'.
This is again the full HTTP PUT/POST request to Cloudflare API.

After also merging #2218 (where I removed all inline event handlers) all console errors due to inline event handlers are gone and as far as I can tell, the CSP works well for my simple site. I hope that these prs will get merged so that people will be able to use CSPs.

EDITED BECAUSE: 'style-src' being empty was due to a typo in the CI/CD script. 2nd edit: I forgot to handle inline event handlers.

For my usecase this is a massive improvement and there is definetly still room for more. I'm not sure if there is an equally nice way to eliminate the remaining scripts/styles that wouldn't compromise on readability.

Just as a proof of concept: This is the CI/CD now succeeding.

[servedsmart]

Okay, after merging #2254 #2260 #2268 #2253 and #2252 there is only 2252 characters left of the CSP. I'm not sure if there are additional relevant commits, but I used my own tmp branch if you want to try this yourself. Also because of #2260, no manual overrides are required for this.

The current CSP provides the same security as the one in #2198 (comment) but saves almost 50% of the characters. This is pretty great. You should remember that this is for a pretty simple site, but at least I have gotten rid of most of the annoying inline styles/scripts already.

This is the current HTTP PUT/POST request to Cloudflare API.

I don't use repo shortcodes at the moment, but #2269 has also moved those out of line. Just to keep this updated.

[servedsmart]

This is the current HTTP PUT/POST request to Cloudflare API. This is on the current dev branch (0999dc2) with #2252 merged aswell.

That's 2415 chars. Added chars are because I added scripts to my site.