Online API Documentation refuses to show source
faxm0dem opened this issue · 9 comments
When clicking on "View Source" on the API docs we get this:
Blocked by Content Security Policy
@aphyr controls the host and I suspect will need to make some changes to server headers.
Huh, this is all github hosted... wonder if they changed an origin CSP or something.
Ahhhh, it's mad because we try to frame it from the riemann.io domain. Hmmmmmm.
Oh. Yeah GH pages. No coffee yeah.
Hmm. Both pages are hosted by github pages on riemann.io, so... you'd think same-origin would be OK. Browser security models have changed so much since I was last up on this stuff. Lemme google around...
Yeah, it doesn't look like we get any control over the content security policy at the repo level. As a quick fix, we could replace the frame with a regular old link--users wouldn't get the top nav bar any more, but that's not the end of the world. Another option would be to do some sort of HTML rewriting as a build step when CODOX gets built. Or we could move riemann.io to its own server somewhere?
Possssibly we could work around this with a <meta http-equiv="Content-Security-Policy" content="...">
? I'm not sure what takes precedence...
Unfortunately, frame-ancestors isn't supported in meta tags. :(
IMHO a simple link to the gh source would be a lesser evil and good compromise for work involved/functionality
The web sucks in 2020 doesn't it?