Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
txp:header with txp tag as part of the value string
input (simplified for demonstration), in a Page template (first thing):
<txp:smd_token name="my_csp" length="24" display="0" />
<txp:header name="Content-Security-Policy" value="default-src 'none'; style-src-elem '<txp:smd_token name="my_csp" prefix="nonce-" />';" />The tag (txp:header) is not parsed, however the nested tag is parsed. As a consequence, the HTTP header is not send.
The output – literally as seen in the source code of the page
<txp:header name="Content-Security-Policy" value="default-src 'none'; style-src-elem 'nonce-6904c9ea6dc9624edfe03ead';" />The possibility cannot be discarded that I am doing something wrong, kind advice to correct syntax appreciated!
note:
- the quotes around the values for the individual directives must be single quotes otherwise browse cannot parse the header
- the particular tag (
smd_token) is not important, I see the same issue with e.g.txp:variable name="foo". - sending a CSP header with
txp:headerworks otherwise perfectly fine, e.g.value="default-src 'none'; base-uri 'none';"(again simplified)
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: txp:header with txp tag as part of the value string
What happens here is that
<txp:header name="Content-Security-Policy" value="default-src 'none'; style-src-elem '<txp:smd_token name="my_csp" prefix="nonce-" />';" />is not recognized as txp tag, because of misuse of the double quotes. Recall that txp tags are not parsed inside double quotes, so txp sees it like
<txp:header name="Content-Security-Policy"
value="default-src 'none'; style-src-elem '<txp:smd_token name="
my_csp" prefix="nonce-" />';" />and leaves it as is, since this does not match the txp tag pattern.
The solution is to switch to single quotes and double them like this:
<txp:header name="Content-Security-Policy"
value='default-src ''none''; style-src-elem ''<txp:smd_token name="my_csp" prefix="nonce-" />'';' />Another possibility is to enable the second pass, but it would be a hack.
Offline
Re: txp:header with txp tag as part of the value string
hmm, yeah, that seems to work alright. Thank you.
But it is horribly difficult to read. Luckily it is not the type of code fragment that need changing or updating frequently.
<txp:header name="Content-Security-Policy"
value='default-src ''self'';base-uri ''none''; connect-src ''self''; font-src ''self''; form-action ''self''; frame-ancestors ''self''; frame-src ''self'' https://bandcamp.com https://player.vimeo.com https://www.youtube-nocookie.com; img-src blob: data: ''self''; manifest-src ''self''; media-src data: ''self''; object-src ''none''; script-src ''unsafe-inline'' ''self''; script-src-attr ''none''; scrpt-src-elem ''strict-dynamic'' ''<txp:smd_token name="my_csp" prefix="nonce-" />''; style-src ''self''; style-src-attr ''sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY=''; style-src-elem ''<txp:smd_token name="my_csp" prefix="nonce-" />'';' />Something to store in the notebook and copy when needed.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: txp:header with txp tag as part of the value string
You can slightly improve the readability:
<txp:variable name="my_csp" value='<txp:smd_token name="my_csp" prefix="nonce-" />'
wraptag="default-src 'self'; style-src-elem '<+>'; etc" />
<txp:header name="Content-Security-Policy" value='<txp:variable name="my_csp" />' />Offline