[mod] caddy: update csp #424
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since searxng/searxng#5073 we add a script directly to the [`base.html`](https://github.com/searxng/searxng/blob/master/searx/templates/simple/base.html), we need `'unsafe-inline'`.
Member
|
@inetol I think this is only a interim solution for the user of our docker image. It is JS, so we should move this part to the client side (as it was before searxng/searxng#5073) . |
Member
Author
|
We need to inline this "JS is enabled?" thing to prevent layout shifts and temporary "no JS enabled" visuals as ESM scripts loads and evals everything deferred from initial DOM render. |
return42
added a commit
to return42/searxng
that referenced
this pull request
Aug 19, 2025
return42
added a commit
to return42/searxng
that referenced
this pull request
Aug 19, 2025
To avoid an `unsafe-inline` in the CSP header, the JS code must be moved to the client side [1]. The `<script>` tag at the end of the HTML originates from the old implementation of the JS client. Since PR-5073 [2] was merged, the `type` is now `module`, and the tag must be moved to the beginning of the HTML. > We need to inline this "JS is enabled?" thing to prevent layout shifts and > temporary "no JS enabled" visuals as ESM scripts loads and evals everything > deferred from initial DOM render [3] That's true in theory, but in practice, this effect is unnoticeable because it's masked by another effect (which we can't avoid): If we load the page with a severely throttled connection, the HTML (result list) takes a long time to load. Then the CSS is loaded, which also takes longer. Until the CSS has loaded, there's no layout. A layout shift is therefore largely determined by the loading of the HTML and CSS itself. The running times of the ESM script can be neglected compared to the loading times of HTML & CSS. [1] searxng/searxng-docker#424 (comment) [2] searxng#5073 [3] searxng/searxng-docker#424 (comment)
return42
added a commit
to return42/searxng
that referenced
this pull request
Aug 21, 2025
To avoid an `unsafe-inline` in the CSP header, the JS code must be moved to the client side [1]. The `<script>` tag at the end of the HTML originates from the old implementation of the JS client. Since PR-5073 [2] was merged, the `type` is now `module`, and the tag must be moved to the beginning of the HTML. > We need to inline this "JS is enabled?" thing to prevent layout shifts and > temporary "no JS enabled" visuals as ESM scripts loads and evals everything > deferred from initial DOM render [3] That's true in theory, but in practice, this effect is unnoticeable because it's masked by another effect (which we can't avoid): If we load the page with a severely throttled connection, the HTML (result list) takes a long time to load. Then the CSS is loaded, which also takes longer. Until the CSS has loaded, there's no layout. A layout shift is therefore largely determined by the loading of the HTML and CSS itself. The running times of the ESM script can be neglected compared to the loading times of HTML & CSS. [1] searxng/searxng-docker#424 (comment) [2] searxng#5073 [3] searxng/searxng-docker#424 (comment)
return42
added a commit
to searxng/searxng
that referenced
this pull request
Aug 21, 2025
To avoid an `unsafe-inline` in the CSP header, the JS code must be moved to the client side [1]. The `<script>` tag at the end of the HTML originates from the old implementation of the JS client. Since PR-5073 [2] was merged, the `type` is now `module`, and the tag must be moved to the beginning of the HTML. > We need to inline this "JS is enabled?" thing to prevent layout shifts and > temporary "no JS enabled" visuals as ESM scripts loads and evals everything > deferred from initial DOM render [3] That's true in theory, but in practice, this effect is unnoticeable because it's masked by another effect (which we can't avoid): If we load the page with a severely throttled connection, the HTML (result list) takes a long time to load. Then the CSS is loaded, which also takes longer. Until the CSS has loaded, there's no layout. A layout shift is therefore largely determined by the loading of the HTML and CSS itself. The running times of the ESM script can be neglected compared to the loading times of HTML & CSS. [1] searxng/searxng-docker#424 (comment) [2] #5073 [3] searxng/searxng-docker#424 (comment)
Contributor
|
@inetol "unsafe-inline" causes -20 score in Mozilla's HTTP Observatory Report, Content Security Policy test. HTTP Observatory is one of the metrics used in https://searx.space/ instance list. Best regards |
Member
|
issue has been solved in SearXNG .. I reverted this PR of SearXNG-docker in |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since searxng/searxng#5073 we add a script directly to the
base.html, we need'unsafe-inline'.