Avoid extra HTTP request for fetching custom stylesheet

Use inline CSS with a nonce and move CSP headers to a meta tag.
2025-09-15 18:57:04 +00:00 · 2021-05-31 14:16:50 -07:00 · 2021-05-31 14:16:50 -07:00 · dd3f496d06
commit dd3f496d06
parent 09be3d2bac
5 changed files with 14 additions and 21 deletions
--- a/template/functions.go
+++ b/template/functions.go
@ -51,6 +51,9 @@ func (f *funcMap) Map() template.FuncMap {
 		"safeURL": func(url string) template.URL {
 			return template.URL(url)
 		},
+		"safeCSS": func(str string) template.CSS {
+			return template.CSS(str)
+		},
 		"noescape": func(str string) template.HTML {
 			return template.HTML(str)
 		},
@ -91,8 +94,8 @@ func (f *funcMap) Map() template.FuncMap {
 				iconName,
 			))
 		},
-		"rand": func() string {
-			return crypto.GenerateRandomStringHex(10)
+		"nonce": func() string {
+			return crypto.GenerateRandomStringHex(16)
 		},

 		// These functions are overrode at runtime after the parsing.
--- a/template/templates/common/layout.html
+++ b/template/templates/common/layout.html
@ -31,8 +31,13 @@

    <meta name="theme-color" content="{{ theme_color .theme }}">
    <link rel="stylesheet" type="text/css" href="{{ route "stylesheet" "name" .theme }}?{{ .theme_checksum }}">
+
    {{ if and .user .user.Stylesheet }}
-    <link rel="stylesheet" type="text/css" href="{{ route "stylesheet" "name" "custom_css" }}?{{ rand }}">
+    {{ $stylesheetNonce := nonce }}
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'nonce-{{ $stylesheetNonce }}'">
+    <style nonce="{{ $stylesheetNonce }}">{{ .user.Stylesheet | safeCSS }}</style>
+    {{ else }}
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *">
    {{ end }}

    <script src="{{ route "javascript" "name" "app" }}?{{ .app_js_checksum }}" defer></script>