I'm trying to update my blog which uses the hugo-coder theme. I've tried updating the submodule that I had added, post the upgrade when I run the hugo server command, I get the following exception :
Change of config file detected, rebuilding site.
2021-03-15 22:01:46.390 +0530
ERROR 2021/03/15 22:01:46 render of "taxonomy" failed: execute of template failed: template: _default/list.html:11:9: executing "_default/list.html" at <partial "csp.html" .>: error calling partial: "/Users/ishabbi/PlayGround/rookieBlog/themes/hugo-coder/layouts/partials/csp.html:1:269": execute of template failed: template: partials/csp.html:1:269: executing "partials/csp.html" at <delimit .Site.Params.csp.childsrc " ">: error calling delimit: can't iterate over <nil>
ERROR 2021/03/15 22:01:46 render of "term" failed: execute of template failed: template: _default/list.html:11:9: executing "_default/list.html" at <partial "csp.html" .>: error calling partial: "/Users/ishabbi/PlayGround/rookieBlog/themes/hugo-coder/layouts/partials/csp.html:1:269": execute of template failed: template: partials/csp.html:1:269: executing "partials/csp.html" at <delimit .Site.Params.csp.childsrc " ">: error calling delimit: can't iterate over <nil>
ERROR 2021/03/15 22:01:46 render of "term" failed: execute of template failed: template: _default/list.html:11:9: executing "_default/list.html" at <partial "csp.html" .>: error calling partial: "/Users/ishabbi/PlayGround/rookieBlog/themes/hugo-coder/layouts/partials/csp.html:1:269": execute of template failed: template: partials/csp.html:1:269: executing "partials/csp.html" at <delimit .Site.Params.csp.childsrc " ">: error calling delimit: can't iterate over <nil>
ERROR 2021/03/15 22:01:46 render of "term" failed: execute of template failed: template: _default/list.html:11:9: executing "_default/list.html" at <partial "csp.html" .>: error calling partial: "/Users/ishabbi/PlayGround/rookieBlog/themes/hugo-coder/layouts/partials/csp.html:1:269": execute of template failed: template: partials/csp.html:1:269: executing "partials/csp.html" at <delimit .Site.Params.csp.childsrc " ">: error calling delimit: can't iterate over <nil>
ERROR 2021/03/15 22:01:46 failed to render pages: render of "page" failed: execute of template failed: template: _default/single.html:11:9: executing "_default/single.html" at <partial "csp.html" .>: error calling partial: "/Users/ishabbi/PlayGround/rookieBlog/themes/hugo-coder/layouts/partials/csp.html:1:269": execute of template failed: template: partials/csp.html:1:269: executing "partials/csp.html" at <delimit .Site.Params.csp.childsrc " ">: error calling delimit: can't iterate over <nil>
Rebuilt in 65 ms
The entries for params.csp in the config.toml file are as follows :
[params.csp]
scriptsrc = ["'self'",
"'unsafe-inline'",
"https://platform.twitter.com",
"https://cdn.syndication.twimg.com",
"*.amazon-adsystem.com",
"https://www.google-analytics.com",
"cse.google.com",
"https://www.google.com",
"https://pagead2.googlesyndication.com",
"https://adservice.google.com",
"https://www.googletagservices.com",
"jsfiddle.net",
"www.instagram.com",
"disqus.com",
"disquscdn.com",
"*.disqus.com",
"*.disquscdn.com"]
The content of the csp partial is as below :
{{ printf `<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; block-all-mixed-content; default-src 'self'; child-src %s; font-src %s; form-action %s; frame-src %s; img-src %s; object-src %s; style-src %s; script-src %s; prefetch-src %s;">` (delimit .Site.Params.csp.childsrc " ") (delimit .Site.Params.csp.fontsrc " ") (delimit .Site.Params.csp.formaction " ") (delimit .Site.Params.csp.framesrc " ") (delimit .Site.Params.csp.imgsrc " ") (delimit .Site.Params.csp.objectsrc " ") (delimit .Site.Params.csp.stylesrc " ") (delimit .Site.Params.csp.scriptsrc " ") (delimit .Site.Params.csp.prefetchsrc " ") | safeHTML }}
Can someone please help me with what could be the issue here? The site is served in case I remove the CSP partial.
Ok, so turns out that I was missing the relevant security policies in my config.toml file. I referred to the default config.toml file here
The config file should've looked somewhat like this :
# If you want to implement a Content-Security-Policy, add this section
[params.csp]
childsrc = ["'self'"]
fontsrc = ["'self'", "https://fonts.gstatic.com", "https://cdn.jsdelivr.net/"]
formaction = ["'self'"]
framesrc = ["'self'"]
imgsrc = ["'self'"]
objectsrc = ["'none'"]
stylesrc = [
"'self'",
"'unsafe-inline'",
"https://fonts.googleapis.com/",
"https://cdn.jsdelivr.net/"
]
scriptsrc = ["'self'", "'unsafe-inline'", "https://www.google-analytics.com"]
prefetchsrc = ["'self'"]
The site now loads after updating my config.toml file to include the other security policies.