Skip to content

Harden docs against supply-chain attacks: remove all third-party assets#56

Merged
odudex merged 2 commits into
mainfrom
docs-selfhost-math
Jun 7, 2026
Merged

Harden docs against supply-chain attacks: remove all third-party assets#56
odudex merged 2 commits into
mainfrom
docs-selfhost-math

Conversation

@odudex

@odudex odudex commented Jun 7, 2026

Copy link
Copy Markdown
Owner

What is this PR for?

Following the recent polyfill.io incident (a CDN extension injected malware into the docs), this removes every remote asset the docs load in visitors' browsers and adds a CSP so it can't recur.

Changes

  • Math — pre-render the entropy page's display equations to committed local SVGs (inline math → HTML); drop the cdnjs MathJax + require.js loads and pymdownx.arithmatex. render_docs_math.py regenerates the SVGs from the markdown (dev-only matplotlib, no JS).
  • Fonts — use the system font stack (theme.font: false) instead of Google Fonts.
  • Video tutorials — title + link list instead of YouTube thumbnails.
  • Emoji — inline Material icons in place of unicode shortcode emoji (which load from the twemoji CDN).
  • Iframes — remove the gitmind.com mind-map embeds (and the navigation page that only held them).
  • CSP — add a Content-Security-Policy meta tag (overrides/main.html) locking scripts/styles/fonts/frames to 'self', blocking any external <script> at the browser level.
  • Remove the now-unneeded Material privacy plugin; gitignore public/ and htmlcov/ build output.

Result

Verified across the full 38-page build: zero external <script>/<link>/<img>/<iframe>/font loads, CSP present on every page. mkdocs build is clean.

Changes made to:

  • Code
  • Tests
  • Docs
  • CHANGELOG

Did you build the code and tested on device?

  • Yes, build and tested on

What is the purpose of this pull request?

  • Bug fix
  • New feature
  • Docs update
  • Other

odudex added 2 commits June 7, 2026 14:16
Pre-render the entropy page display equations to committed SVGs and
write inline math as plain HTML, removing the cdnjs MathJax and
require.js loads (same supply chain class as the polyfill.io incident).
render_docs_math.py regenerates the SVGs from the markdown. Also ignore
mkdocs (public/) and pytest-cov (htmlcov/) build output.
Make the docs site fully self-contained so no remote code or assets load
in visitors' browsers:

- System font stack (theme.font: false) instead of Google Fonts
- Video tutorials as a title + link list, dropping YouTube thumbnails
- Shortcode emoji replaced with inline Material icons
- Remove the gitmind.com mind-map iframes (navigation page)
- Add a Content-Security-Policy meta tag (overrides/main.html) that
  blocks external scripts/styles/fonts/frames, preventing a polyfill.io
  style CDN injection at the browser level
@odudex odudex merged commit 978b07d into main Jun 7, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant