Join us on Discord!
You can help CodeWalrus stay online by donating here.

Alternative to Wordpress, Bludit ?

Started by gameblabla, May 01, 2017, 07:30:41 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

gameblabla

I'm looking for something like Wordpress or Bludit that plays nice with restrictive Content Security Policy rules.
That is :

  • No unsafe-inlining
  • No eval
  • No links to other websites (other than my own)

Unfortunately, no alternatives i found (except maybe Jekyll) play nice with restrictive CSP rules.
I was using a patched out Nibbleblog for CSP, except that one day it broke X_X.
Plus, it was still not playing very nice before it broke.

I thought Bludit would fare better but it grew much more complex than its older brother Nibbleblog and as a result,
i can't easily patch it for unsafe-inlining.
And i had to patch uikit because it was using eval x_x

Ghost also didn't play very nice with CSP but i wonder if that has changed... I should try it again.
As for Wordpress.... LOL, let's not even talk about it again, it's the worst example as far CSP goes.

I had considered Jekyll but i was never able to install it properly with Gem. And there's no ppa or debian repo for a more recent version...

What alternative do i have ?
  • Calculators owned: None (used to own an Nspire and TI-89)

Yuki

Let's see, at my job so far I used a heavily customized version of Kohana (now Koseven) and FuelPHP, both are PHP MVC frameworks. I imagine it's not hard to make sure CSP works, whatever that is, and to make some sort of blogging with that.
  • Calculators owned: TI-83+ (dead?), Casio Prizm (also dead???)
  • Consoles, mobile devices and vintage computers owned: A lot
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron

if you wanna throw money at me and/or CodeWalrus monthly it's here

gameblabla

Quote from: Juju on May 01, 2017, 07:52:08 PM
Let's see, at my job so far I used a heavily customized version of Kohana (now Koseven) and FuelPHP, both are PHP MVC frameworks. I imagine it's not hard to make sure CSP works, whatever that is, and to make some sort of blogging with that.
There are just a bunch of frameworks, you would still need to do the dirty job.
That is not quite i'm looking for... I don't want to reinvent the wheel again :sigh:

CSP, or Content Security Policy is a standard designed to counter injection attacks, cross-site scripting etc...
One of the reason i want to fully implement it is because the Mozilla's Observatory gives you a better score based on your CSP's settings.
Anyway, here's how it is implemented (via .htaccess) on mah website :
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set Content-Security-Policy "default-src 'none' ; base-uri 'none'; frame-ancestors 'none'; script-src 'self' 'unsafe-inline'; object-src 'none'; connect-src 'self'; img-src 'self'; style-src 'self';"
Header always set X-Xss-Protection "1; mode=block"
Header always set Referrer-Policy "no-referrer"
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HTTPS
</IfModule>

Header unset ETag
FileETag None

RewriteEngine On
RewriteCond %{HTTPS} !^on$
RewriteCond %{HTTP_HOST} ^(.*)$ [NC]
RewriteRule ^.*$ https://%1%{REQUEST_URI} [L,R=301]


However, you can notice that i had to enable unsafe-inlining because otherwise, this would break the text editor & image uploader in Bludit.
I will take another look at Jekyll however (this time from repository), i'll tell you if this fits my bill.
  • Calculators owned: None (used to own an Nspire and TI-89)

gameblabla

Okay, so i installed Jekyll from the repository and it's actually pretty cool !
It's completely static and as a result it's pretty fast, the markup language isn't too complex and my posts, believe it or not,
look nicer and less glitchy than they did with Bludit/Nibbleblog.
Since it's also static, it also does not suffer from mysql injection attacks.

Take a look here :
https://blog.gameblabla.nl/

And guess who's the best at Mozilla's Observatory ? :D
https://observatory.mozilla.org/analyze.html?host=blog.gameblabla.nl

Straight A's my dear comrades !
Codewalr.us in comparaison gets an F lol

@Streetwalrus, look at dis
https://observatory.mozilla.org/analyze.html?host=codewalr.us
  • Calculators owned: None (used to own an Nspire and TI-89)

novenary


Powered by EzPortal