I’m experimenting with Content-Security-Policy HTTP headers on my website (where I am writing a Hugo theme). I currently have the following header:
Content-Security-Policy: "default-src 'none'; img-src 'self' https://i.ytimg.com; script-src https://gc.zgo.at/count.v1.js; style-src 'self'; frame-ancestors 'none'"
Sadly, I’ve found a problem with Hugo’s syntax highlighting: it uses inline styles and is therefore blocked, with an error like this in Firefox: “Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).”
Here’s a page where the problem occurs: Maximum Ethics | My Second Post
Does anyone have any ideas or tips for using CSP with Hugo’s syntax highlighter? Or is it hopeless?