Update build

foundeo · Jan 27, 2020 · 45f34ce · 45f34ce
1 parent e018d38
commit 45f34ce
Show file tree

Hide file tree

Showing 10 changed files with 48 additions and 19 deletions.
diff --git a/.eleventy.js b/.eleventy.js
@@ -0,0 +1,13 @@
+module.exports = function(eleventyConfig) {
+  eleventyConfig.addPassthroughCopy("www/css");
+  eleventyConfig.addPassthroughCopy("www/js");
+  eleventyConfig.addPassthroughCopy("www/favicon.ico");
+  eleventyConfig.addPassthroughCopy("www/robots.txt");
+  return {
+  	passthroughFileCopy: true,
+    dir: {
+      input: "www",
+      output: "_site"
+    }
+  };
+};
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,3 @@
-www/_site/
-www/node_modules/
-www/package-lock.json
+package-lock.json
+_site/
+node_modules/
diff --git a/netlify.toml b/netlify.toml
@@ -1,6 +1,6 @@
 [build]
   publish = "_site/"
-  command = "eleventy --input ./www/ --output ./_site"
+  command = "eleventy"
 [[headers]]
   for = "/*"
   [headers.values]

diff --git a/package.json b/package.json
@@ -2,4 +2,4 @@
   "devDependencies": {
     "@11ty/eleventy": "^0.10.0"
   }
-}
+}
diff --git a/www/.eleventy.js b/www/.eleventy.js
diff --git a/www/.htaccess b/www/.htaccess
diff --git a/www/index.html b/www/index.html
@@ -120,7 +120,7 @@ <h2 id="directive">Directive Reference</h2>
           </td>
         </tr>
         <tr>
-          <td><code>script-src</code></td>
+          <td><a href="/script-src/"><code>script-src</code></a></td>
           <td><code>'self' js.example.com</code></td>
           <td>
             Defines valid sources of JavaScript.
@@ -404,7 +404,7 @@ <h2 id="source_list">Source List Reference</h2>
             <td>Allows an inline script or CSS to execute if its hash matches the specified hash in the header. Currently supports SHA256, SHA384 or SHA512.  <span class="label label-success">CSP Level 2</span> </td>
           </tr>
           <tr>
-            <td><code>'nonce-'</code></td>
+            <td><a href="/nonce/" title="Nonce Support in CSP"><code>'nonce-'</code></a></td>
             <td><code>script-src 'nonce-r@nd0m'</code></td>
             <td>Allows an inline script or CSS to execute if the script (eg: <code>&lt;script nonce="r@nd0m"&gt;</code>) tag contains a nonce attribute matching the nonce specifed in the CSP header. The nonce should be a secure random string, and should not be reused. <span class="label label-success">CSP Level 2</span> </td>
           </tr>

diff --git a/www/nonce.html b/www/nonce.html
@@ -0,0 +1,25 @@
+---
+title: Using a nonce in CSP
+layout: layout
+---
+<div class="jumbotron">
+	<h1>Using a <code>nonce</code> with CSP</h1>
+	<div class="lead">A <code>nonce</code> is a randomly generated token that should be used only one time. </div>
+</div>
+<h2>Example Nonce Usage</h2>
+<p>Using a <code>nonce</code> is one of the easiest ways to allow the execution of inline scripts in a Content Security Policy (CSP). Here's how one might use it with the CSP <a href="/script-src/"><code>script-src</code></a> directive:</p>
+<pre>
+script-src 'nonce-r@nd0m';
+</pre>
+<blockquote>
+	<strong>NOTE:</strong> We are using the phrase: <em>r@nd0m</em> to denote a random value. You should use a cryptographically secure random token generator to generate a nonce value. The random nonce value should only be used for a single HTTP request.
+</blockquote>
+<p>Now we can allow an inline <code>&lt;script&gt;</code> tag to execute by adding our random nonce value in the <code>nonce</code> attribute of the <code>script</code> tag:</p>
+<pre>
+&lt;script nonce="r@nd0m"&gt;
+	doWhatever();
+&lt;/script&gt;
+</pre>
+<h2>Nonce Browser Support</h2>
+<p>The <code>nonce</code> source list directive was added to CSP Level 2. This means that support has existed since 2015 in Chrome and Firefox, Safari 10+ or Edge 15+.</p>
+<p>It is not supported at all in Internet Explorer, you need to use the Edge browser instead.</p>
diff --git a/www/package.json b/www/package.json
diff --git a/www/script-src.html b/www/script-src.html
@@ -30,7 +30,7 @@ <h4>Blocks</h4>
   runInlineScript();
 &lt;/script&gt;
 </pre>
-<p>Blocked because inline scripts are blocked by default, you have to use hashes or a nonce (CSP Level 2) to get allow inline scripts to run.</p>
+<p>Blocked because inline scripts are blocked by default, you have to use hashes or a <a href="/nonce/" title="CSP with Nonce">nonce</a> (CSP Level 2) to get allow inline scripts to run.</p>
 <pre>
 &lt;button onClick="runInlineScript();"&gt;
   All JS Event Handlers Blocked
@@ -53,5 +53,6 @@ <h4>Supported</h4>
 	<h4>Not Supported</h4>
 	<div class="label label-default" title="IE - Not Supported"><i class="fa fa-edge"></i> Internet Explorer</div>
 </div>
-<p>The CSP <code>script-src</code> directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1). However some features such as hashes and nonce were introduced in CSP Level 2. Support for these features is still very good.</p>
+<br>
+<p>The CSP <code>script-src</code> directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1). However some features such as hashes and <a href="/nonce/" title="CSP with nonce">nonce</a> were introduced in CSP Level 2. Support for these features is still very good.</p>
 <p>Internet Explorer 11 and below do not support the <code>script-src</code> directive. This means that IE11 will simply ignore the policy and allow any script to run (as if a policy had not been set at all).</p>
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,4 +2,4 @@ @@
       "devDependencies": {
         "@11ty/eleventy": "^0.10.0"
       }
-    }
+    }