suzanne.soy/scribble-math
1
0
Fork 0
Code Issues 8 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Content-Security-Policy settings often block scribble-math #13

New Issue
Open
opened 2024-06-04 05:34:12 +01:00 by jbclements · 0 comments
jbclements commented 2024-06-04 05:34:12 +01:00 (Migrated from github.com)
Copy Link

As of now, both the KaTeX and MathJax back-ends for scribble-math are incompatible with many/most Content-Security-Policy settings. Specifically, they both use inline scripts, and in fact they both appear currently to attempt to disguise injections of script tags by summing <scri and pt at runtime.

Both @soegaard and @LiberalArtist did a considerable amount of research on this. At the risk of quoting without permission, and of failing to condense knowledge, I'm going to include big chunks of that Discord conversation.

@soegaard writes:

However, here is what I could find:

In MathJax 2.7 (the old version) inline scripts were used for configuration.
Putting the configuration in an external file was the solution.
However, Mathjax 3 is mentioned and no solution is presented in this thread.

https://github.com/mathjax/MathJax/issues/1988

I believe the inline scripts are used for fonts in MathJax 3. I don't know why.
It seems difficult to fix. See bottom of:

https://github.com/mathjax/MathJax/issues/256

One "solution": Use MathJax server-side to render svgs and include them in the document.
In this repo they have several versions of a tex2svg implemented in Node running MathJax.

@soegaard writes:

Wrt KaTex and the Content Security Policy, there might be a solution for KaTeX in this thread.
https://github.com/KaTeX/KaTeX/issues/1968

@LiberalArtist writes:

I looked at the source of scribble-math. It looks like some of the weird inline stuff is an attempt to fit into the hooks provided by the Scribble APIs, but I think there are better options.

To use scribble-math with ahead-of-time KaTeX rendering, it looks like you could adjust the $-html-handler and $$-html-handler parameters. On the other hand, you'd basically end up replacing everything but the fairly trivial with-html5, so you might just want to do it yourself.

I think you would probably generate placeholder empty element or paragraph structs, perhaps with the alt-tag style property to control the HTML element name, and use the xexpr-property style property to provide the literal HTML to inject. You might take advantage of the trick to (ab)use the cdata struct to inject raw HTML as a string, to avoid any issues parsing potential html5-isms in the KaTeX output with the xml parser. (If you use KaTeX in MathML-only mode, though, that will be real XML.)

You might want to implement caching rather than potentially passing the same string to KaTeX multiple times, and caching could also be useful if you check in cached renders to allow re-building on systems without katex/Node.js installed. The scriblib/gui-eval library and make-log-based-eval from scribble/example (as used in the db docs) address somewhat similar problems. There might be a way to use the traverse-element/traverse-block, delayed-block/delayed-element, and/or render-element structs to cooperate with the mechanisms Scribble provides for collecting and resolving things.

To support non-HTML targets, you would probably want to use scriblib/render-cond (as scribble-math does), or, if you are creating traverse-elements etc. already, to check the scribble:current-render-mode directly as that library does.

@LiberalArtist writes:

In case it's useful, https://github.com/dybvig/stex/pull/7 is where I add ahead-of-time KaTeX support for the system used to typeset CSUG, with a lot of indirection to minimize changes to the rest of the system. (I still need to get back to the review comments ...)

== end of quoted conversation ==

Okay, I think that's most of the good stuff....

As of now, both the KaTeX and MathJax back-ends for scribble-math are incompatible with many/most Content-Security-Policy settings. Specifically, they both use inline scripts, and in fact they both appear currently to attempt to disguise injections of script tags by summing `<scri` and `pt` at runtime. Both @soegaard and @LiberalArtist did a considerable amount of research on this. At the risk of quoting without permission, and of failing to condense knowledge, I'm going to include big chunks of that Discord conversation. @soegaard writes: However, here is what I could find: In MathJax 2.7 (the old version) inline scripts were used for configuration. Putting the configuration in an external file was the solution. However, Mathjax 3 is mentioned and no solution is presented in this thread. https://github.com/mathjax/MathJax/issues/1988 I believe the inline scripts are used for fonts in MathJax 3. I don't know why. It seems difficult to fix. See bottom of: https://github.com/mathjax/MathJax/issues/256 One "solution": Use MathJax server-side to render svgs and include them in the document. In this repo they have several versions of a tex2svg implemented in Node running MathJax. @soegaard writes: Wrt KaTex and the Content Security Policy, there might be a solution for KaTeX in this thread. https://github.com/KaTeX/KaTeX/issues/1968 @LiberalArtist writes: I looked at the source of scribble-math. It looks like some of the weird inline stuff is an attempt to fit into the hooks provided by the Scribble APIs, but I think there are better options. To use scribble-math with ahead-of-time KaTeX rendering, it looks like you could adjust the $-html-handler and $$-html-handler parameters. On the other hand, you'd basically end up replacing everything but the fairly trivial with-html5, so you might just want to do it yourself. I think you would probably generate placeholder empty element or paragraph structs, perhaps with the alt-tag style property to control the HTML element name, and use the xexpr-property style property to provide the literal HTML to inject. You might take advantage of the trick to (ab)use the cdata struct to inject raw HTML as a string, to avoid any issues parsing potential html5-isms in the KaTeX output with the xml parser. (If you use KaTeX in MathML-only mode, though, that will be real XML.) You might want to implement caching rather than potentially passing the same string to KaTeX multiple times, and caching could also be useful if you check in cached renders to allow re-building on systems without katex/Node.js installed. The scriblib/gui-eval library and make-log-based-eval from scribble/example (as used in the db docs) address somewhat similar problems. There might be a way to use the traverse-element/traverse-block, delayed-block/delayed-element, and/or render-element structs to cooperate with the mechanisms Scribble provides for collecting and resolving things. To support non-HTML targets, you would probably want to use scriblib/render-cond (as scribble-math does), or, if you are creating traverse-elements etc. already, to check the scribble:current-render-mode directly as that library does. @LiberalArtist writes: In case it's useful, https://github.com/dybvig/stex/pull/7 is where I add ahead-of-time KaTeX support for the system used to typeset CSUG, with a lot of indirection to minimize changes to the rest of the system. (I still need to get back to the review comments ...) == end of quoted conversation == Okay, I think that's most of the good stuff....
👍 1
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bug

   
duplicate

   
enhancement

   
help wanted

   
invalid

   
question

   
wontfix
No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: suzanne.soy/scribble-math#13
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?