Comments (6)
No way currently afaik but we could add a random Tera function. Do you want the output to be deterministic or would it ok if all the values generated change and every build?
from zola.
Actually after some testing, it seems even Nonce won't solve the issue either, as it looks like that Zola 'alter' the javascript MIME type?
So the boring details are as follow:
I have created a shortcode for Cactus comments (https://cactus.chat/) that will add comments to the end of my posts, the shortcode is as follows:
<script type="text/javascript" src="https://latest.cactus.chat/cactus.js"></script>
<!-- css in my main css -->
<script>
initComments({
node: document.getElementById("comment-section"),
defaultHomeserverUrl: "https://matrix.cactus.chat:8448",
serverName: "cactus.chat",
siteName: "Site",
commentSectionId: `{{ page.permalink | replace(from='http://', to='') | replace(from='https://', to='') | split(pat='/') | slice(start=2) | join(sep='/') | trim_end_matches(pat='/')}}`,
guestPostingEnabled: false
})
</script>
And this works perfectly fine as long as the CSP isn't blocking any inline (script, img, etc.), which is not something I want, so I made the shortcode as follow, added to the site static directory to matches the policy, and I even added the sha-256 integrity and the hashes to the CSP with script-src 'self' 'sha256-12345..'
just to eliminate any issue.
<script src="{{ get_url(path='js/cactus.js', trailing_slash=false, cachebust=true) | safe }}"{%- if config.extra.integrity | default(value=true) %} integrity="sha256-{{ get_hash(path='js/cactus.js', sha_type=256, base64=true) | safe }}"{%- endif %}></script>
<div id="comment-section"></div>
<script src="{{ get_url(path='js/cactus_inline.js', trailing_slash=false, cachebust=true) | safe }}"{%- if config.extra.integrity | default(value=true) %} integrity="sha256-{{ get_hash(path='js/cactus_inline.js', sha_type=256, base64=true) | safe }}"{%- endif %}></script>
Where cactus_inline.js
is the little second script above.
And this works in terms of loading the script, however, the browser now see this part as a raw text instead of a variable {{ page.permalink | replace(from='http://', to='') | replace(from='https://', to='') | split(pat='/') | slice(start=2) | join(sep='/') | trim_end_matches(pat='/')}}
, which obviously doesn't load any comments because Matrix restrict the ID (or room name) characters. This section is important to have it as a unique ID for each post, else, the comments will be the same in ALL of your posts.
Adding these script in the head section didn't change anything either, changing the default MIME type didn't fix it too, or different type of hash.
So, I suspect it has to do with Zola and how it render/read these variables?
Zola version:
0.18.0
from zola.
Ok as usual, I find the solution minutes after posting any issue :)
The only workaround that worked for me right now, is to keep the script inline (like the first code block) and calculate the hash for it and add it to the CSP script-src.
I will close the issue, but if someone has a better solution later, feel free to add it, I will also make a short blog post on how to install Cactus on Zola for future reference.
from zola.
Unfortunately, reopening it again, it seems indeed Nonce is the only way. The problem with the hash way is you would need to make a hash for each post, and that's due to the fact the variable inside the script will have the post title..
@Keats Can the Nonce be generated for every page load/reload? every build is a little too much, unless you post frequently.
from zola.
@Keats Can the Nonce be generated for every page load/reload? every build is a little too much, unless you post frequently.
We don't have a concept of page load or state between builds so no.
The best solution for ids is still to hardcode it in extra
from zola.
Related Issues (20)
- `resize_image` default compression parameters for PNG often make files larger HOT 1
- Excerpt separator not compatible with Hugo (or Jekyll), is `<!-- more -->` rather than `<!--more-->` HOT 2
- Shortcode markdown filter results in a superfluous newline at end HOT 2
- get_url generates http url during serve, even though base_url defines https HOT 3
- Feature request: Proper support for GitHub Codespaces / dev containers HOT 5
- Section links refer to permalink#section
- Search question: is it possible to set search weight per page HOT 1
- 0.18.0 `zola serve` requires restart to complete Getting Started Overview HOT 1
- Content from theme is not loaded? HOT 5
- Option to invalidate template cache after specified time
- How do I reference keywords in taxonomies within Markdown? HOT 1
- The image resulting from image_resize() has width and height inverted (EXIF orientation problem) HOT 2
- Use `url` crate for handling URLs
- Feature Request: Make it possible to re-use values from page.aliases for templating, e.g. for ID in ATOM feed HOT 2
- Enhance test suite around `zola serve` HOT 1
- Feature request: section-specific taxonomies HOT 1
- Get current title/path from a shorcode HOT 1
- `quick-xml` incompatible in the future HOT 1
- SVG access via `get_url` and selector seems to be broken when running locally HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zola.