Dear Logseq community,
Logseq has this great feature of exporting the knowledge base to a website via Export graph > Export public pages. In terms of server security, this comes with two challenges around content security policies. For my examples, I use NGINX configs.
- The node graph shows up only when allowing
script-src 'unsafe-inline'
. This is necessary because of PIXI.js. I’m curious why PIXI.js was chosen here and whether it could be replaced with a library such as D3.js which might be able to handle this without unsafe-eval. - In order for any notes to show up,
script-src 'unsafe-inline';
andstyle-src 'unsafe-inline';
are necessary. It would also be nice to fix this.
Strict content security policies prevent cross-site-scripting attacks. Logseq on the server doesn’t allow for these policies to be in place, without loosing features or being unusable.