Skip to content

Commit 4f3f9c3

Browse files
author
EmbeddedOS Fix Bot
committed
fix(github.io): wave-2 CSP meta tags + _headers note
- Add Content-Security-Policy + X-Content-Type-Options + Referrer-Policy meta tags to every HTML page so the security headers are actually enforced on GitHub Pages (which silently ignores _headers files). - Update _headers to document its purpose for CDN mirrors and clarify that <meta> tags are the live operative defence.
1 parent 63134eb commit 4f3f9c3

25 files changed

Lines changed: 78 additions & 9 deletions

404.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@
22
<html lang="en">
33
<head>
44
<meta charset="UTF-8">
5+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.github.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'">
6+
<meta http-equiv="X-Content-Type-Options" content="nosniff">
7+
<meta name="referrer" content="strict-origin-when-cross-origin">
58
<link rel="icon" href="/favicon.svg" type="image/svg+xml">
69
<link rel="apple-touch-icon" href="/og-image.png">
710
<meta name="viewport" content="width=device-width, initial-scale=1.0">

_headers

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,13 @@
1-
# NOTE: This file uses Netlify / Cloudflare Pages syntax. GitHub Pages — which
2-
# serves this site today — silently IGNORES the rules below. The values are
3-
# kept here as a single source of truth for an eventual move to Cloudflare
4-
# Pages or Netlify, and as a reference for the security headers the project
5-
# intends to enforce in production. The subset of headers that browsers honour
6-
# from in-document <meta http-equiv> tags is mirrored elsewhere in the site
7-
# chrome where applicable; CSP via <meta> is intentionally not added here
8-
# because it cannot express the same directive set as a real HTTP header.
1+
# NOTE: As of v3.0.1 the security headers are also served via <meta http-equiv>
2+
# tags in every HTML page (see scripts/check-csp-meta.sh). This file remains
3+
# for completeness when this site is mirrored to a CDN that honours _headers
4+
# (Netlify, Cloudflare Pages). GitHub Pages itself ignores _headers — the
5+
# <meta> tags are the operative defence on the live site.
96

107
/*
118
X-Frame-Options: DENY
129
X-Content-Type-Options: nosniff
1310
X-XSS-Protection: 1; mode=block
1411
Referrer-Policy: strict-origin-when-cross-origin
1512
Permissions-Policy: camera=(), microphone=(), geolocation=()
16-
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:;
13+
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.github.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

books.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@
22
<html lang="en">
33
<head>
44
<meta charset="UTF-8">
5+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.github.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'">
6+
<meta http-equiv="X-Content-Type-Options" content="nosniff">
7+
<meta name="referrer" content="strict-origin-when-cross-origin">
58
<link rel="icon" href="/favicon.svg" type="image/svg+xml">
69
<link rel="apple-touch-icon" href="/og-image.png">
710
<meta name="viewport" content="width=device-width, initial-scale=1.0">

docs/eai.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
2+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.github.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'">
3+
<meta http-equiv="X-Content-Type-Options" content="nosniff">
4+
<meta name="referrer" content="strict-origin-when-cross-origin">
25
<link rel="icon" href="/favicon.svg" type="image/svg+xml">
36
<link rel="apple-touch-icon" href="/og-image.png"><meta name="viewport" content="width=device-width, initial-scale=1.0">
47
<title>EAI API Reference v0.1.0 - EmbeddedOS</title>

docs/eboot.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
2+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.github.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'">
3+
<meta http-equiv="X-Content-Type-Options" content="nosniff">
4+
<meta name="referrer" content="strict-origin-when-cross-origin">
25
<link rel="icon" href="/favicon.svg" type="image/svg+xml">
36
<link rel="apple-touch-icon" href="/og-image.png"><meta name="viewport" content="width=device-width, initial-scale=1.0">
47
<title>eBoot API Reference v0.1.0 - EmbeddedOS</title>

docs/ebrowser.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
2+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.github.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'">
3+
<meta http-equiv="X-Content-Type-Options" content="nosniff">
4+
<meta name="referrer" content="strict-origin-when-cross-origin">
25
<link rel="icon" href="/favicon.svg" type="image/svg+xml">
36
<link rel="apple-touch-icon" href="/og-image.png"><meta name="viewport" content="width=device-width, initial-scale=1.0">
47
<title>eBrowser Reference - EmbeddedOS</title>

docs/ebuild.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
2+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.github.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'">
3+
<meta http-equiv="X-Content-Type-Options" content="nosniff">
4+
<meta name="referrer" content="strict-origin-when-cross-origin">
25
<link rel="icon" href="/favicon.svg" type="image/svg+xml">
36
<link rel="apple-touch-icon" href="/og-image.png"><meta name="viewport" content="width=device-width, initial-scale=1.0">
47
<title>ebuild CLI Reference v0.1.0 - EmbeddedOS</title>

docs/edb.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@
22
<html lang="en">
33
<head>
44
<meta charset="UTF-8">
5+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.github.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'">
6+
<meta http-equiv="X-Content-Type-Options" content="nosniff">
7+
<meta name="referrer" content="strict-origin-when-cross-origin">
58
<link rel="icon" href="/favicon.svg" type="image/svg+xml">
69
<link rel="apple-touch-icon" href="/og-image.png">
710
<meta name="viewport" content="width=device-width, initial-scale=1.0">

docs/eipc.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
2+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.github.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'">
3+
<meta http-equiv="X-Content-Type-Options" content="nosniff">
4+
<meta name="referrer" content="strict-origin-when-cross-origin">
25
<link rel="icon" href="/favicon.svg" type="image/svg+xml">
36
<link rel="apple-touch-icon" href="/og-image.png"><meta name="viewport" content="width=device-width, initial-scale=1.0">
47
<title>EIPC API Reference v0.1.0 - EmbeddedOS</title>

docs/eni.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
2+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.github.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'">
3+
<meta http-equiv="X-Content-Type-Options" content="nosniff">
4+
<meta name="referrer" content="strict-origin-when-cross-origin">
25
<link rel="icon" href="/favicon.svg" type="image/svg+xml">
36
<link rel="apple-touch-icon" href="/og-image.png"><meta name="viewport" content="width=device-width, initial-scale=1.0">
47
<title>ENI API Reference v0.1.0 - EmbeddedOS</title>

0 commit comments

Comments
 (0)