From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,NICE_REPLY_A,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 27683 invoked from network); 26 Aug 2020 16:25:17 -0000 Received: from krantz.zx2c4.com (192.95.5.69) by inbox.vuxu.org with ESMTPUTF8; 26 Aug 2020 16:25:17 -0000 Received: by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 3953d606; Wed, 26 Aug 2020 15:58:02 +0000 (UTC) Return-Path: Received: from mail.matejamaric.com (mail.matejamaric.com [2a04:3542:1000:910:e44b:bdff:feb6:7332]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTPS id 96e4f9f6 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Wed, 26 Aug 2020 15:58:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=matejamaric.com; s=selector1; t=1598459111; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MOEdrw3h9qugHn3EwHTgICQ8MtC5PkJPTSEgR3CJEos=; b=XbkbPp0BeIY1eXkdploMHUuoHaF6KpxoCs5L0lWqxHkNHwI+h5jBNYWu/Uhc8NO5CEAdNJ W5ga1L31EoH4Gjmj07EZAClihTebqQTKgfm7WogjZXn3gijhvILi8MT6Xhh0pvSWxwzkVE yJbrfdjqWyuNsDhMbqPLfUyOD6+6PdXkcRS4wNGtEvPrzb+yf61Gpd8JspZR7DKQCZrWzu ylOGbYHT5yHFlZcMZONIFLBu+7HcxTEw0URFjUkiBi091GtEV+L+JWFj89+NP2KgLOQ1kR uZGI3Q26qIisKjxI/rc4C/ZRBY7iVjn6KuzP6BC9jkQWo7sUbndUNcyPckNle0qnAcbxvh 2xY1INDzL2d0xpFeHl8buApJcb3dc0uhkpzuDaH6R6nwAu8+L+KT9xCdNoyY/0B5X7h3Ze fc2ZD0HJgrgXyd5cL3q46BddWZCb7VARYZXTXRGarpaG/jx88hdE3+WhdyF6Vv/9tnbJcv tzUqbQRk5jJQKCjDKgIHCeIP8UMUq98S9RwpIXKcQokiYe3N3xPiTRqryzzRDRlwisz1ng W7zcVnmCBYDB6JW93rw82Gtt/fWqvEp/jbUQUNFB/BJGc9Ls31sQkJJmn1bVPqgnG5juQb l4ggyqkc5Gm1WbY0k02XI2wctja7lqUFE1+Og/ee9jktgCOxhNy40= Received: from [192.168.0.3] ( [87.116.164.134]) by mail.matejamaric.com (OpenSMTPD) with ESMTPSA id 54d26536 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Wed, 26 Aug 2020 16:25:11 +0000 (UTC) Subject: Re: Syntax highlighting issue To: cgit@lists.zx2c4.com References: <12e76570-2455-37c7-2df1-fabb61206afc@matejamaric.com> <20200826161114.p5acwu6ttjhxf6qq@chatter.i7.local> From: Mateja Maric Message-ID: <891c75de-9a86-d065-c43f-e1431ad78268@matejamaric.com> Date: Wed, 26 Aug 2020 18:24:49 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <20200826161114.p5acwu6ttjhxf6qq@chatter.i7.local> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: cgit@lists.zx2c4.com X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: List for cgit developers and users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: cgit-bounces@lists.zx2c4.com Sender: "CGit" It worked! Thank you so much! On 8/26/20 6:11 PM, Konstantin Ryabitsev wrote: > On Wed, Aug 26, 2020 at 05:59:06PM +0200, Mateja Maric wrote: >> I use cgit on my server (https://git.matejamaric.com) and syntax >> highlighting doesn't work for some reason. >> >> My config file is fine (I think) and python-pygments package is installed. >> >> The weirdest thing is that when I view page source, styling and html span >> tags are there, but code is still not colored for some reason. > If you look at the dev console, you will see the reason: > > Refused to apply inline style because it violates the following Content > Security Policy directive: "default-src 'self'". Either the > 'unsafe-inline' keyword, a hash > ('sha256-icLlI0jX3/L5wqZp69+gNqGNNMcU6bh4T+qqxWv/2as='), or a nonce > ('nonce-...') is required to enable inline execution. Note also that > 'style-src' was not explicitly set, so 'default-src' is used as a > fallback. > > You need to change the Content-Security-Policy header to set style-src > to allow inline styles. E.g. this is on git.kernel.org: > > Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src https: > > -K