sharp_style does not work
Closed this issue · 6 comments
Hi,
I applied the custom CSS as mention in the readme. Also using Nginx and using the fix for XSS. It works fine, except all corners are rounded, not sharp.
Default_style is applied immediatly and fine, so I don't think it's a cache issue or my bad.
Actually, jf_blue and customcolor do not seem to work either.
Ah, this is because the code snippet only marks the default_style as safe. I didn't write the fix, so my additions after that are not accounted for.
Would you mind testing for me, if a url can be marked safe, like this:
add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline' https://ctalvio.github.io/Monochromic https://fonts.googleapis.com/css2; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.youtube.com/iframe_api https://s.ytimg.com https://ctalvio.github.io/Monochromic; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
If that does not work, each one has to be added separately, with this:
add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline' https://ctalvio.github.io/Monochromic/default_style.css https://ctalvio.github.io/Monochromic/sharp_style.css https://ctalvio.github.io/Monochromic/jfblue_style.css https://ctalvio.github.io/Monochromic/customcolor_style.css https://fonts.googleapis.com/css2; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.youtube.com/iframe_api https://s.ytimg.com https://ctalvio.github.io/Monochromic/default_style.css https://ctalvio.github.io/Monochromic/sharp_style.css https://ctalvio.github.io/Monochromic/jfblue_style.css https://ctalvio.github.io/Monochromic/customcolor_style.css; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
Ha make sense !
Yes, first one is working. Thanks 👍 EDIT : actually no, second one works, you need to explicit all url.
Also, I'm curious why you need to call ytiming.com, gstatic.com and youtube.com ? I understand for fonts.googleapis.com, though I'm not fan to query google urls. Do you think a version with embedded fonts can work ?
I haven't a clue. As I said, I did not write this initially. Try removing them and see if the font still works.
Ha, actually I tested too quickly, you need to put all urls with absolute path, like your second snippet.
Ok will do, thanks for this theme :)
Also, I'm curious why you need to call ytiming.com, gstatic.com and youtube.com ? I understand for fonts.googleapis.com, though I'm not fan to query google urls. Do you think a version with embedded fonts can work ?
Just to answer your question, these urls are probably used for the trailers. ytimg is probably for thumbnails, gstatic is a sort of a caching thing from Google for static content (in this case used for loading javascript to allow casting to your Chromecast/TV etc.) and youtube is used for the trailers themselves.