TUF website Docsy themed version

[Dindihub]

This is the Docsy theme version of the TUF website.

Please review @chalin @lukpueh

[chalin]

See inline comments.
Also, I'm not seeing any content for content/en/resources

[chalin]

@Dindihub - FYI, I'm working with @nate-double-u to try to get deploy previews enabled for the docsy branch and this PR.

[Dindihub]

See inline comments. Also, I'm not seeing any content for content/en/resources

It was in the .gitignore file as resources/. It's now visible

[chalin]

@Dindihub - take a look at https://deploy-preview-68--theupdateframework.netlify.app and you'll see that it is different from your repo's rendition. I'll fix that; it seems to be because the version of Hugo being used, isn't correct due to the wrong build commands being used.

Note that you'll need to copy over and include the following in this PR

• All of the dot files and folders such as .github, .cspell.yml, etc.
• The LICENSE files
• The updated Makefile
• The updated README.md (keep the current badge)

Edit: track required additions via:

• [docsy] Missing website files to be copied over from docsy-tuf.io #74

[chalin]

Hmm, the version of docsy included currently in this PR is old; in particular, it doesn't match the version you're using over in https://github.com/Dindihub/docsy-tuf.io/tree/main/themes. Let me fix that to see if it helps make the hero image appear.

[chalin]

Updating docsy doesn't seem to help. I'm not sure why the hero image isn't displaying. I'll investigate further tomorrow.

[chalin]

Ah, it's because of the Content-Security-Policy. I'll need to think about this more carefully and post here once I have an idea.

@JustinCappos et al. - would you be ok with the addition of style-src 'self' 'unsafe-inline' to the CSP here:

theupdateframework.io/netlify.toml

Line 29 in f7cc8f8

Content-Security-Policy = "default-src 'self' code.jquery.com fonts.googleapis.com fonts.gstatic.com use.fontawesome.com app.netlify.com netlify-cdp-loader.netlify.app youtube.com; frame-src youtube.com www.youtube.com"

[JustinCappos]

Ah, it's because of the Content-Security-Policy. I'll need to think about this more carefully and post here once I have an idea.

@JustinCappos et al. - would you be ok with the addition of style-src 'self' 'unsafe-inline' to the CSP here:

theupdateframework.io/netlify.toml

Line 29 in f7cc8f8

Content-Security-Policy = "default-src 'self' code.jquery.com fonts.googleapis.com fonts.gstatic.com use.fontawesome.com app.netlify.com netlify-cdp-loader.netlify.app youtube.com; frame-src youtube.com www.youtube.com"

Is there a reasonable workaround? Why do we need this? It's a bad look for a security project to disable security controls, even if they don't matter in this case.

[chalin]

Is there a reasonable workaround? Why do we need this? It's a bad look for a security project to disable security controls, even if they don't matter in this case.

Ok, I'll propose a workaround in a followup PR. Thanks for the feedback @JustinCappos.

Edit: track workaround via:

• [docsy] Work around inline-style CSP restriction #73

[chalin]

This is good enough as a first PR over the docsy branch. I'll follow up with the issues mentioned here but not yet addressed.