Skip to content

fix: resolve CDN redirect failure by using loose security policy and CSP whitelist #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
xihale merged 1 commit into from
Jan 25, 2026
Merged

fix: resolve CDN redirect failure by using loose security policy and CSP whitelist #96

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 0 additions & 6 deletions content/post/2025-07-19-zine-migration.smd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,21 +171,15 @@ Zine 布局有几个关键特性:
<ctx :if="$page.custom.getOr('math', false)">
<link
href="https://cdnjs.webstatic.cn/ajax/libs/KaTeX/0.16.9/katex.min.css"
integrity="sha512-fHwaWebuwA7NSF5Qg/af4UeDx9XqUpYpOGgubo3yWu+b2IQR4UeQwbb42Ti7gVAjNtVoI/I9TEoYeu9omwcC6g=="
crossorigin="anonymous"
rel="stylesheet"
/>
<script
defer
src="https://cdnjs.webstatic.cn/ajax/libs/KaTeX/0.16.9/katex.min.js"
integrity="sha512-LQNxIMR5rXv7o+b1l8+N1EZMfhG7iFZ9HhnbJkTp4zjNr5Wvst75AqUeFDxeRUa7l5vEDyUiAip//r+EFLLCyA=="
crossorigin="anonymous"
></script>
<script
defer
src="https://cdnjs.webstatic.cn/ajax/libs/KaTeX/0.16.9/contrib/auto-render.min.js"
integrity="sha512-iWiuBS5nt6r60fCz26Nd0Zqe0nbk1ZTIQbl3Kv7kYsX+yKMUFHzjaH2+AnM6vp2Xs+gNmaBAVWJjSmuPw76Efg=="
crossorigin="anonymous"
onload="renderMathInElement(document.body);"
Comment on lines 173 to 183
Copy link

@gemini-code-assist gemini-code-assist bot Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The integrity and crossorigin attributes were removed from the KaTeX resources, disabling Subresource Integrity (SRI). This exposes the site to supply chain attacks if the CDN is compromised, especially given the very loose Content Security Policy (CSP) also implemented. SRI is a crucial security feature that verifies resources from third-party servers haven't been tampered with. If redirects are causing SRI failures, consider using a more stable CDN provider or hosting the assets locally instead of disabling this security control.

></script>
</ctx>
Expand Down
8 changes: 3 additions & 5 deletions layouts/post.shtml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
<extend template="base.shtml">
<head id="head">
<ctx :if="$page.custom.getOr('math', false)">
<link href="https://cdnjs.webstatic.cn/ajax/libs/KaTeX/0.16.9/katex.min.css" integrity="sha512-fHwaWebuwA7NSF5Qg/af4UeDx9XqUpYpOGgubo3yWu+b2IQR4UeQwbb42Ti7gVAjNtVoI/I9TEoYeu9omwcC6g==" crossorigin="anonymous" rel="stylesheet">
<link href="https://cdnjs.webstatic.cn/ajax/libs/KaTeX/0.16.9/katex.min.css" rel="stylesheet">
<script
defer
src="https://cdnjs.webstatic.cn/ajax/libs/KaTeX/0.16.9/katex.min.js"
integrity="sha512-LQNxIMR5rXv7o+b1l8+N1EZMfhG7iFZ9HhnbJkTp4zjNr5Wvst75AqUeFDxeRUa7l5vEDyUiAip//r+EFLLCyA=="
crossorigin="anonymous"
></script>
<script>
function renderKaTeX() {
Expand All @@ -20,10 +18,10 @@
});
}
</script>
<script defer src="https://cdnjs.webstatic.cn/ajax/libs/KaTeX/0.16.9/contrib/auto-render.min.js" integrity="sha512-iWiuBS5nt6r60fCz26Nd0Zqe0nbk1ZTIQbl3Kv7kYsX+yKMUFHzjaH2+AnM6vp2Xs+gNmaBAVWJjSmuPw76Efg==" crossorigin="anonymous" onload="renderKaTeX()"></script>
<script defer src="https://cdnjs.webstatic.cn/ajax/libs/KaTeX/0.16.9/contrib/auto-render.min.js" onload="renderKaTeX()"></script>
</ctx>
<ctx :if="$page.custom.getOr('mermaid', false)">
<script defer src="https://cdnjs.webstatic.cn/ajax/libs/mermaid/11.12.0/mermaid.min.js" integrity="sha512-5TKaYvhenABhlGIKSxAWLFJBZCSQw7HTV7aL1dJcBokM/+3PNtfgJFlv8E6Us/B1VMlQ4u8sPzjudL9TEQ06ww==" crossorigin="anonymous" onload="mermaid.initialize({theme: window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'default'}); mermaid.run();"></script>
<script defer src="https://cdnjs.webstatic.cn/ajax/libs/mermaid/11.12.0/mermaid.min.js" onload="mermaid.initialize({theme: window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'default'}); mermaid.run();"></script>
</ctx>
Comment on lines +21 to 25
Copy link

@gemini-code-assist gemini-code-assist bot Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

As with the other resources, removing Subresource Integrity (SRI) for the KaTeX and Mermaid scripts is a security risk. It makes your site vulnerable to attacks originating from a compromised CDN. It is highly advisable to restore SRI protection, perhaps by self-hosting these dependencies.

</head>
<body id="body">
Expand Down
1 change: 1 addition & 0 deletions layouts/templates/base.shtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
<head id="head">
<meta charset="utf-8">
<meta name="viewport" content="initial-scale=1">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.webstatic.cn https://cdnjs.cloudflare.com https://hm.baidu.com; style-src 'self' 'unsafe-inline' https://cdnjs.webstatic.cn https://cdnjs.cloudflare.com; img-src 'self' data: https:; connect-src 'self' https://en.liujiacai.net https://cdnjs.cloudflare.com https://hm.baidu.com;">
Copy link

@gemini-code-assist gemini-code-assist bot Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The newly added Content Security Policy (CSP) is overly permissive, significantly reducing its effectiveness against Cross-Site Scripting (XSS) attacks. The use of 'unsafe-inline' and 'unsafe-eval' in script-src allows arbitrary inline scripts and dangerous functions, posing major security risks. Additionally, the img-src directive using https: is too broad, allowing images from any HTTPS domain, which could be abused. Whitelisting entire CDN domains like cdnjs.cloudflare.com is also a known risk.
Recommendations:

  1. Remove 'unsafe-inline': Refactor inline scripts or use CSP nonces/hashes.
  2. Remove 'unsafe-eval': Investigate library configurations that don't rely on eval().
  3. Tighten img-src: Replace https: with a whitelist of specific domains.
    It is recommended to use nonces or hashes for legitimate inline scripts and to be more restrictive with allowed sources to strengthen this policy.

<meta name="algolia-site-verification" content="12324D77A7D77468">
<title :text="$page.title"></title>
<link type="text/css" rel="stylesheet" href="$site.asset('style.css').link()">
Expand Down