Freshrss: Add MathJax support

Created on 12 Aug 2019 · 11Comments · Source: FreshRSS/FreshRSS

I'd like to add MathJax support to render inline equations. Normally this can be accomplished by adding the following java script to the html header (e.g. add it to section of layout.phtml):

<script src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/latest.js?config=TeX-AMS_HTML"></script>

Unfortunately, this does not work because executing an external java-script is forbidden by the current Content-Security-Policy as defined in FreshRSS.php:

header(sprintf("Content-Security-Policy: default-src 'self'; frame-src *; img-src * data:; media-src *%s", $connectSrc));

I'm not sure how to fix this without breaking things or introducing security holes. According to the people of MathJax, I would have to add https://cdnjs.cloudflare.com/ajax/libs/mathjax/ to the script-src list. Simply appending ; script-src 'self' https://cdnjs.cloudflare.com/ajax/libs/mathjax/ does not seem to suffice.

@Alkarex it seems you were handling the Content-Security-Policy in #1075. Would you have any idea how I could fix this?

Documentation Extension

Source

jkinable

👍1

Most helpful comment

@jkinable I've created an extension to render LaTeX notation. It's a first draft but it's still usable. You can find it here https://github.com/aledeg/FreshRSS-extensions. Could you give it a try?
Let me know what you think about it. Thank you!

aledeg on 7 Jun 2020

👍2

All 11 comments

Are you sure you want it to be remotely hosted, CSP or not? Because you could create a little extension with a Minz_View::appendScript('mathjax.js'); type call. See here for a fully fleshed out example.

Frenzie on 12 Aug 2019

👍1

@jkinable I think that your request must be addressed with an extension. I don't foresee that many people using mathjax thus I don't think it's a good idea to add it to the core.

aledeg on 12 Aug 2019

@aledeg yes, it was my intention to add this functionality as a plugin. However, with a FreshRSS MathJax Extension I run into the same issue:
Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/latest.js?config=TeX-AMS_HTML' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
As such, I'm not sure how to whitelist this external javascript.

@Frenzie I'm not sure I understand your post. Why wouldn't I use the remote javascript? I could only think of a potential performance issue (no idea how bad this is). I presume you were suggesting to install mathjax directly?

jkinable on 12 Aug 2019

👍1

You should be able override it by sending out a header with something like Content-Security-Policy: script-src https://cdnjs.cloudflare.com; (although that seems a bit broad).

If you use CSP with a hash then it's secure, otherwise the script could be anything. Performance wouldn't be too bad, but reliability is another matter. Of course Cloudflare says they're great, but the simple fact is that half the internet is out these days when Cloudflare is. MathJax being out is relatively benign but it's something I don't like. ;-)

Frenzie on 12 Aug 2019

aledeg on 7 Jun 2020

👍2

@Frenzie @Alkarex @marienfressinaud The extension is working. It's not perfect though. Should I add it in the extension list now?

aledeg on 11 Jun 2020

👍1

Fine by me. Btw, not perfect in which way?

Frenzie on 11 Jun 2020

I had to add a function to modify a pattern that was not recognized by mathjax. It's done while display entries, on each entry. I would rather find a way to configure MathJax the proper way.

aledeg on 11 Jun 2020