datatrails · robinbryce · Sep 12, 2024 · Sep 2, 2024 · Sep 2, 2024 · Sep 3, 2024
diff --git a/assets/images/DataTrailsDocAssets.pptx b/assets/images/DataTrailsDocAssets.pptx
diff --git a/config/_default/config.toml b/config/_default/config.toml
@@ -15,7 +15,7 @@ rssLimit = 10
   for = '/**'
   [server.headers.values]
     Strict-Transport-Security = 'max-age=31536000; includeSubDomains'
-    Content-Security-Policy = "script-src 'self' 'sha256-GoUI0hA42/W90nTDE3+8IM59Pmj5d7MTNu1m0Qv4C+o=' 'sha256-eg7hiIPJDJy7WtCOgK4mlnMdUDYpX6h90ef9pORicds=' https://www.googletagmanager.com/gtag/js js.hs-scripts.com https://js.hscollectedforms.net/collectedforms.js js.hs-analytics.net https://js.usemessages.com/conversations-embed.js https://js.hsadspixel.net/fb.js js.hs-banner.com https://www.google-analytics.com/analytics.js googleads.g.doubleclick.net"
+    Content-Security-Policy = "script-src 'self' 'sha256-GoUI0hA42/W90nTDE3+8IM59Pmj5d7MTNu1m0Qv4C+o=' 'sha256-eg7hiIPJDJy7WtCOgK4mlnMdUDYpX6h90ef9pORicds=' https://cdn.jsdelivr.net https://www.googletagmanager.com/gtag/js js.hs-scripts.com https://js.hscollectedforms.net/collectedforms.js js.hs-analytics.net https://js.usemessages.com/conversations-embed.js https://js.hsadspixel.net/fb.js js.hs-banner.com https://www.google-analytics.com/analytics.js googleads.g.doubleclick.net"
     Referrer-Policy = 'no-referrer-when-downgrade'
     Permissions-Policy = 'autoplay "self"; cookie "self"'
     X-Content-Type-Options = 'nosniff'

diff --git a/content/developers/developer-patterns/3rdparty-verification/index.md b/content/developers/developer-patterns/3rdparty-verification/index.md
diff --git a/content/developers/developer-patterns/3rdparty-verification/replicated-data.png b/content/developers/developer-patterns/3rdparty-verification/replicated-data.png
diff --git a/...t/developers/developer-patterns/3rdparty-verification/replicated-veracity-2.png b/...t/developers/developer-patterns/3rdparty-verification/replicated-veracity-2.png
diff --git a/...evelopers/developer-patterns/3rdparty-verification/replicated-veracity-gaps.png b/...evelopers/developer-patterns/3rdparty-verification/replicated-veracity-gaps.png
diff --git a/...ent/developers/developer-patterns/3rdparty-verification/replicated-veracity.png b/...ent/developers/developer-patterns/3rdparty-verification/replicated-veracity.png
diff --git a/layouts/_default/_markup/render-codeblock-mermaid.html b/layouts/_default/_markup/render-codeblock-mermaid.html
@@ -0,0 +1,4 @@
+<div class="mermaid">
+  {{ .Inner | safeHTML }}
+</div>
+{{ .Page.Store.Set "hasMermaid" true }}
diff --git a/layouts/_default/baseof.html b/layouts/_default/baseof.html
@@ -26,5 +26,6 @@
       {{ partial "footer/alert.html" . }}
     {{ end }}
     {{ partial "footer/script-footer.html" . }}
-  </body>
-</html>
+ </body>
+
+</html>
diff --git a/layouts/partials/footer/script-footer.html b/layouts/partials/footer/script-footer.html
@@ -51,6 +51,13 @@
 
 {{ $js := $slice | resources.Concat "main.js" -}}
 
+{{ if .Store.Get "hasMermaid" }}
+<script type="module" src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.esm.min.mjs">
+  // can't do this as it requires enabling script-src 'unsafe-inline': 
+  // mermaid.initialize({ startOnLoad: true, theme: 'base', themeVariables: { sketch: true } });
+</script>
+{{ end }}
+
 {{ if eq (hugo.Environment) "development" -}}
   {{ if .Site.Params.options.bootStrapJs -}}
     <script src="{{ $bs.RelPermalink }}" defer></script>

diff --git a/layouts/partials/head/head.html b/layouts/partials/head/head.html
@@ -6,8 +6,18 @@
   <meta http-equiv="X-Frame-Options" content="SAMEORIGIN">
   <meta http-equiv="X-Content-Type-Options" content="nosniff">
   <meta http-equiv="Referrer-Policy" content="no-referrer-when-downgrade">
-  <meta http-equiv="Permissions-Policy" content="autoplay 'self'; cookie 'self'">
-  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-GoUI0hA42/W90nTDE3+8IM59Pmj5d7MTNu1m0Qv4C+o=' 'sha256-eg7hiIPJDJy7WtCOgK4mlnMdUDYpX6h90ef9pORicds=' https://www.googletagmanager.com/gtag/js js.hs-scripts.com https://js.hscollectedforms.net/collectedforms.js js.hs-analytics.net https://js.usemessages.com/conversations-embed.js https://js.hsadspixel.net/fb.js js.hs-banner.com https://www.google-analytics.com/analytics.js googleads.g.doubleclick.net;">
+  <!-- NOTICE:
+   To allow the font styles to be applied, we have to permit unsafe-inline for styles-src.
+
+   THe prefered nonce based technique for securing this requires server side support which we don't have available via gh pages.
+   This exposes us to malictious css injection attacks which can misslead users to enter sensitive information and then capture it.
+
+   Given the static docs nature of this site, this seems acceptable but far from ideal
+
+   We DO NOT allow unsafe-inline for scripts-src, this is a major security risk and should be avoided at all costs.
+   -->
+  <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/mermaid/dist/; script-src 'self' 'sha256-GoUI0hA42/W90nTDE3+8IM59Pmj5d7MTNu1m0Qv4C+o=' 'sha256-eg7hiIPJDJy7WtCOgK4mlnMdUDYpX6h90ef9pORicds=' https://cdn.jsdelivr.net/npm/mermaid/dist/ https://www.googletagmanager.com/gtag/js js.hs-scripts.com https://js.hscollectedforms.net/collectedforms.js js.hs-analytics.net https://js.usemessages.com/conversations-embed.js https://js.hsadspixel.net/fb.js js.hs-banner.com https://www.google-analytics.com/analytics.js googleads.g.doubleclick.net;">
+  <!-- <meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' 'unsafe-eval' data:;"> -->
   {{ block "head/resource-hints" . }}{{ partial "head/resource-hints.html" . }}{{ end }}
   {{ block "head/stylesheet" . }}{{ partial "head/stylesheet.html" . }}{{ end }}
   {{ block "head/seo" . }}{{ partial "head/seo.html" . }}{{ end }}