CSP Sucks

So today I decided to get my site here set up with LetsEncrypt so I can have HTTPS. HTTPS on the modern web is very important because people think that they can still get their data stolen even if it’s a website where no data can be submitted, like mine. Annoyances about the ubiquity of unreasonable https expectations aside, getting LetsEncrypt itself set up was a breeze.

Except for one small thing.

Every time I loaded the site through https there was a significant lack of stylesheets. Now this left me rather confused, as I was quite certain I had not lost my cascading sheets anywhere, and I was quite sure I left them right where they were meant to be. I was on a voice call with a developer friend of mine at the time and they reminded me to check the network view and see what exactly is happening. Much to my dismay, the .css file download was being blocked by this thing I had never had the misfortune of dealing with called “CSP”. I’m not much of a web guy personally so my immediate standard reaction was to be upset.

“What have these newfangled webdevs done to my precious internet?”

Anyways, turns out CSP is to prevent files from being loaded from offsite locations, which I suppose is fine and all. It’s meant to stop one vector of attack. Until you realize the webmaster can just stick a flag in their header that effectively disables CSP:

<meta http-equiv="Content-Security-Policy" content="default-src '*'">

So what’s the point? Sounds like a solution that fails to solve any real problems. I suppose it could stop malicious third party attackers but what’s really the point when the majority of the webdevs out there are just going to disable it?

I could ramble about that all day but in the end the problem was actually my fault. In Hugo’s config I had set my site base URL to http://ceikry.xyz rather than https://ceikry.xyz

baseURL = 'http://ceikry.xyz/'

Just one of those days, I guess.