From 45f34cefcd21bf54dafed051f7ff6706c705be5c Mon Sep 17 00:00:00 2001
From: Pete Freitag <pete@foundeo.com>
Date: Mon, 27 Jan 2020 16:04:28 -0500
Subject: [PATCH] Update build

---
 .eleventy.js        | 13 +++++++++++++
 .gitignore          |  6 +++---
 netlify.toml        |  2 +-
 package.json        |  2 +-
 www/.eleventy.js    |  4 ----
 www/.htaccess       |  1 -
 www/index.html      |  4 ++--
 www/nonce.html      | 25 +++++++++++++++++++++++++
 www/package.json    |  5 -----
 www/script-src.html |  5 +++--
 10 files changed, 48 insertions(+), 19 deletions(-)
 create mode 100644 .eleventy.js
 delete mode 100644 www/.eleventy.js
 delete mode 100644 www/.htaccess
 create mode 100644 www/nonce.html
 delete mode 100644 www/package.json

diff --git a/.eleventy.js b/.eleventy.js
new file mode 100644
index 0000000..35bddbe
--- /dev/null
+++ b/.eleventy.js
@@ -0,0 +1,13 @@
+module.exports = function(eleventyConfig) {
+  eleventyConfig.addPassthroughCopy("www/css");
+  eleventyConfig.addPassthroughCopy("www/js");
+  eleventyConfig.addPassthroughCopy("www/favicon.ico");
+  eleventyConfig.addPassthroughCopy("www/robots.txt");
+  return {
+  	passthroughFileCopy: true,
+    dir: {
+      input: "www",
+      output: "_site"
+    }
+  };
+};
diff --git a/.gitignore b/.gitignore
index cfcc91a..a65eb62 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
-www/_site/
-www/node_modules/
-www/package-lock.json
\ No newline at end of file
+package-lock.json
+_site/
+node_modules/
\ No newline at end of file
diff --git a/netlify.toml b/netlify.toml
index 97650ce..3267057 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -1,6 +1,6 @@
 [build]
   publish = "_site/"
-  command = "eleventy --input ./www/ --output ./_site"
+  command = "eleventy"
 [[headers]]
   for = "/*"
   [headers.values]
diff --git a/package.json b/package.json
index 31f3654..6696ab6 100644
--- a/package.json
+++ b/package.json
@@ -2,4 +2,4 @@
   "devDependencies": {
     "@11ty/eleventy": "^0.10.0"
   }
-}
\ No newline at end of file
+}
diff --git a/www/.eleventy.js b/www/.eleventy.js
deleted file mode 100644
index ab77e07..0000000
--- a/www/.eleventy.js
+++ /dev/null
@@ -1,4 +0,0 @@
-module.exports = function(eleventyConfig) {
-  eleventyConfig.addPassthroughCopy("css");
-  eleventyConfig.addPassthroughCopy("js");
-};
diff --git a/www/.htaccess b/www/.htaccess
deleted file mode 100644
index 5f3087f..0000000
--- a/www/.htaccess
+++ /dev/null
@@ -1 +0,0 @@
-Header set Content-Security-Policy "default-src 'none'; script-src 'self' www.google-analytics.com 'sha256-xzi4zkCjuC8lZcD2UmnqDG0vurmq12W/XKM5Vd0+MlQ='; style-src 'self' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com; font-src https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com; img-src www.google-analytics.com;"
\ No newline at end of file
diff --git a/www/index.html b/www/index.html
index 7f59e70..9da15d4 100644
--- a/www/index.html
+++ b/www/index.html
@@ -120,7 +120,7 @@ <h2 id="directive">Directive Reference</h2>
           </td>
         </tr>
         <tr>
-          <td><code>script-src</code></td>
+          <td><a href="/script-src/"><code>script-src</code></a></td>
           <td><code>'self' js.example.com</code></td>
           <td>
             Defines valid sources of JavaScript.
@@ -404,7 +404,7 @@ <h2 id="source_list">Source List Reference</h2>
             <td>Allows an inline script or CSS to execute if its hash matches the specified hash in the header. Currently supports SHA256, SHA384 or SHA512.  <span class="label label-success">CSP Level 2</span> </td>
           </tr>
           <tr>
-            <td><code>'nonce-'</code></td>
+            <td><a href="/nonce/" title="Nonce Support in CSP"><code>'nonce-'</code></a></td>
             <td><code>script-src 'nonce-r@nd0m'</code></td>
             <td>Allows an inline script or CSS to execute if the script (eg: <code>&lt;script nonce="r@nd0m"&gt;</code>) tag contains a nonce attribute matching the nonce specifed in the CSP header. The nonce should be a secure random string, and should not be reused. <span class="label label-success">CSP Level 2</span> </td>
           </tr>
diff --git a/www/nonce.html b/www/nonce.html
new file mode 100644
index 0000000..4c4014d
--- /dev/null
+++ b/www/nonce.html
@@ -0,0 +1,25 @@
+---
+title: Using a nonce in CSP
+layout: layout
+---
+<div class="jumbotron">
+	<h1>Using a <code>nonce</code> with CSP</h1>
+	<div class="lead">A <code>nonce</code> is a randomly generated token that should be used only one time. </div>
+</div>
+<h2>Example Nonce Usage</h2>
+<p>Using a <code>nonce</code> is one of the easiest ways to allow the execution of inline scripts in a Content Security Policy (CSP). Here's how one might use it with the CSP <a href="/script-src/"><code>script-src</code></a> directive:</p>
+<pre>
+script-src 'nonce-r@nd0m';
+</pre>
+<blockquote>
+	<strong>NOTE:</strong> We are using the phrase: <em>r@nd0m</em> to denote a random value. You should use a cryptographically secure random token generator to generate a nonce value. The random nonce value should only be used for a single HTTP request.
+</blockquote>
+<p>Now we can allow an inline <code>&lt;script&gt;</code> tag to execute by adding our random nonce value in the <code>nonce</code> attribute of the <code>script</code> tag:</p>
+<pre>
+&lt;script nonce="r@nd0m"&gt;
+	doWhatever();
+&lt;/script&gt;
+</pre>
+<h2>Nonce Browser Support</h2>
+<p>The <code>nonce</code> source list directive was added to CSP Level 2. This means that support has existed since 2015 in Chrome and Firefox, Safari 10+ or Edge 15+.</p>
+<p>It is not supported at all in Internet Explorer, you need to use the Edge browser instead.</p>
diff --git a/www/package.json b/www/package.json
deleted file mode 100644
index 6696ab6..0000000
--- a/www/package.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "devDependencies": {
-    "@11ty/eleventy": "^0.10.0"
-  }
-}
diff --git a/www/script-src.html b/www/script-src.html
index a5b373b..f981332 100644
--- a/www/script-src.html
+++ b/www/script-src.html
@@ -30,7 +30,7 @@ <h4>Blocks</h4>
   runInlineScript();
 &lt;/script&gt;
 </pre>
-<p>Blocked because inline scripts are blocked by default, you have to use hashes or a nonce (CSP Level 2) to get allow inline scripts to run.</p>
+<p>Blocked because inline scripts are blocked by default, you have to use hashes or a <a href="/nonce/" title="CSP with Nonce">nonce</a> (CSP Level 2) to get allow inline scripts to run.</p>
 <pre>
 &lt;button onClick="runInlineScript();"&gt;
   All JS Event Handlers Blocked
@@ -53,5 +53,6 @@ <h4>Supported</h4>
 	<h4>Not Supported</h4>
 	<div class="label label-default" title="IE - Not Supported"><i class="fa fa-edge"></i> Internet Explorer</div>
 </div>
-<p>The CSP <code>script-src</code> directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1). However some features such as hashes and nonce were introduced in CSP Level 2. Support for these features is still very good.</p>
+<br>
+<p>The CSP <code>script-src</code> directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1). However some features such as hashes and <a href="/nonce/" title="CSP with nonce">nonce</a> were introduced in CSP Level 2. Support for these features is still very good.</p>
 <p>Internet Explorer 11 and below do not support the <code>script-src</code> directive. This means that IE11 will simply ignore the policy and allow any script to run (as if a policy had not been set at all).</p>