Breaks with CSP enabled

[dschmidt]

Hey,

I just installed this addon and it breaks with restrictive CSP enabled.

 Refused to load the stylesheet 'http://yui.yahooapis.com/3.9.1/build/cssgrids/cssgrids-min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'".

xxx.html:1 Refused to load the script 'http://yui.yahooapis.com/combo?3.9.1/build/yui/yui-min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline'".

It would be great if you could serve those files directly instead of referring to some online resources.

Best regards,
Dominik

[dschmidt]

Although I'd prefer it that way, another approach would be to add http://yui.yahooapis.com to script-src, img-source and style-source.

[cibernox]

I'll investigate how hard is to serve a customized version of the assets.
On Mar 3, 2015 3:13 PM, "Dominik Schmidt" notifications@github.com wrote:

Although I'd prefer it that way, another approach would be to add
http://yui.yahooapis.com to script-src, img-source and style-source.

—
Reply to this email directly or view it on GitHub
#14 (comment)
.

[dschmidt]

Did you close this accidentally with that commit? It seems github doesn't understand "would fix #14" correctly :-)

[cibernox]

I don't remember closing this, but honestly I may well have.
Also I have to say that I've had little time to give love to this lately. I really need to allocate a sunday to make this up to date and fix All The Shit™

[dschmidt]

Hehe, well, look at what github says: "cibernox closed this in a27f39f on 17 Mar" and read the commit message:

"TODO: Fix yuidoc itself. Having local assets would also fix #14"

That todo statement apparently closed this issue, if you don't mind I'll reopen.

[cibernox]

So this was github being oversmart. Good to know

[dschmidt]

FWIW, I worked around this issue by using a different theme. Went for yuidoc-bootstrap-theme and added

    "themedir": "node_modules/yuidoc-bootstrap-theme",
    "helpers": ["node_modules/yuidoc-bootstrap-theme/helpers/helpers.js"]

to my yuidoc.json. Would be nice to have something like that out of the box, but this is a good work around - or at least documentation on that.