Remove inline styles; drop unsafe-inline style-src CSP; fixes for iframes (#950)

README.md

@@ -1,5 +1,4 @@
-Let's Encrypt Website
-=====================
+# Let's Encrypt Website
 
 This is the repository for the main [Let's Encrypt website].
 
@@ -46,12 +45,14 @@ To help with translation, please see [TRANSLATION.md].
 
 When creating new pages you'll need to add a translation stub for each language.
 You can use the `new-page.sh` script to create these automatically:
+
 ```sh
 Usage: ./new-page.sh <page-path> <page title>
 Examples:
 ./new-page.sh my-page "My Page Title"
 ./new-page.sh post/my-post "My Post Title"
 ```
+
 ```sh
 $ ./new-page.sh docs/new-page "My New Page"
 Created page: ./content/vi/docs/new-page.md

config/_default/server.toml

@@ -22,15 +22,14 @@ Permissions-Policy = """
     fullscreen=(self),
     interest-cohort=()
 """
-# "style-src unsafe-inline:" Cf https://github.com/letsencrypt/website/issues/950
 # "connect-src https://d4twhgtvn0ff5.cloudfront.net/" for stats graphs
 # "img-src data: blob:" is for Plotly download feature
 # "script-src unsafe-eval unsafe-inline data:": For Google Analytics
 # "form-action" is NOT set, so it allows everything (it doesn't default to default-src). If restricted, It must allow at least www.paypal.com and its redirects
 Content-Security-Policy = """
     default-src 'none';
+    style-src 'self';
     font-src 'self';
-    style-src 'unsafe-inline' 'self';
     script-src 'unsafe-eval' 'unsafe-inline' 'self' data:
         https://www.google-analytics.com
         https://www.googleadservices.com

content/cs/contact.md

@@ -28,18 +28,7 @@ E-mail: [sponsor@letsencrypt.org](mailto:sponsor@letsencrypt.org)
 
 ## Přihlásit se k odběru novinek
 
-<iframe id="newsletter-iframe-inline" src="https://outreach.abetterinternet.org/l/1011011/2025-01-14/31v6r" style="width: 100%; border: 0; overflow: hidden;"></iframe>
-<script>
-let hasResized = false;
-window.addEventListener('message', function(e) {
-    if (hasResized) return; // Only allow one resize
-    if (e.origin !== 'https://outreach.abetterinternet.org') return;
-    if (e.data && typeof e.data === 'object' && e.data.type === 'resize' && e.data.height) {
-        hasResized = true;
-        document.getElementById('newsletter-iframe-inline').style.height = (e.data.height + 20) + 'px';
-    }
-});
-</script>
+{{< newsletter-inline >}}
 
 ## Soukromí
 

content/da/contact.md

@@ -28,18 +28,7 @@ E-mail: [press@letsencrypt.org](mailto:sponsor@letsencrypt.org)
 
 ## Abonner på vores nyhedsbrev
 
-<iframe id="newsletter-iframe-inline" src="https://outreach.abetterinternet.org/l/1011011/2025-01-14/31v6r" style="width: 100%; border: 0; overflow: hidden;"></iframe>
-<script>
-let hasResized = false;
-window.addEventListener('message', function(e) {
-    if (hasResized) return; // Only allow one resize
-    if (e.origin !== 'https://outreach.abetterinternet.org') return;
-    if (e.data && typeof e.data === 'object' && e.data.type === 'resize' && e.data.height) {
-        hasResized = true;
-        document.getElementById('newsletter-iframe-inline').style.height = (e.data.height + 20) + 'px';
-    }
-});
-</script>
+{{< newsletter-inline >}}
 
 ## Privatlivspolitik
 

content/de/contact.md

@@ -22,18 +22,7 @@ Email: [sponsor@letsencrypt.org](mailto:sponsor@letsencrypt.org)
 
 ## Abonnieren Sie unseren Newsletter
 
-<iframe id="newsletter-iframe-inline" src="https://outreach.abetterinternet.org/l/1011011/2025-01-14/31v6r" style="width: 100%; border: 0; overflow: hidden;"></iframe>
-<script>
-let hasResized = false;
-window.addEventListener('message', function(e) {
-    if (hasResized) return; // Only allow one resize
-    if (e.origin !== 'https://outreach.abetterinternet.org') return;
-    if (e.data && typeof e.data === 'object' && e.data.type === 'resize' && e.data.height) {
-        hasResized = true;
-        document.getElementById('newsletter-iframe-inline').style.height = (e.data.height + 20) + 'px';
-    }
-});
-</script>
+{{< newsletter-inline >}}
 
 ## Privatsphäre
 

content/de/getting-started.md

@@ -5,7 +5,7 @@ date: 2020-02-11
 lastmod: 2023-12-20
 ---
 
-<div style="display: flex; flex-direction: column; align-items: center; margin-bottom: 15px;">
+<div class="flex flex-col items-center mb-[15px]">
   <div>Die Let's Encrypt ACME Directory URL ist:</div>
   <div><a href="https://acme-v02.api.letsencrypt.org"><code>https://acme-v02.api.letsencrypt.org/directory</code></a></div>
 </div>

content/en/contact.md

@@ -28,18 +28,7 @@ Email: [sponsor@letsencrypt.org](mailto:sponsor@letsencrypt.org)
 
 ## Subscribe to our Newsletter
 
-<iframe id="newsletter-iframe-inline" src="https://outreach.abetterinternet.org/l/1011011/2025-01-14/31v6r" style="width: 100%; border: 0; overflow: hidden;"></iframe>
-<script>
-let hasResized = false;
-window.addEventListener('message', function(e) {
-    if (hasResized) return; // Only allow one resize
-    if (e.origin !== 'https://outreach.abetterinternet.org') return;
-    if (e.data && typeof e.data === 'object' && e.data.type === 'resize' && e.data.height) {
-        hasResized = true;
-        document.getElementById('newsletter-iframe-inline').style.height = (e.data.height + 20) + 'px';
-    }
-});
-</script>
+{{< newsletter-inline >}}
 
 ## Privacy
 

content/en/documents/ISRG-CPS-v2.8.html

@@ -497,7 +497,7 @@ <h3 id="492-who-can-request-revocation">4.9.2 Who can request revocation</h3>
 <p>Subscribers can revoke certificates belonging to their accounts via the ACME API if they can sign the revocation request with the associated account private key. No other information is required in such cases. A number of ACME clients support this.</p>
 <p>Certificates may be administratively revoked by ISRG if it is determined that the Subscriber has failed to meet obligations under the CP, this CPS, the relevant Subscriber Agreement, or any other applicable agreement, regulation, or law. Certificates may also be administratively revoked at the discretion of ISRG management.</p>
 <h3 id="493-procedure-for-revocation-request">4.9.3 Procedure for revocation request</h3>
-<p>Revocation requests may be made at any time via the ACME API. Successful revocation requests with a reason code of <code style="font-family: Menlo, Consolas, &quot;DejaVu Sans Mono&quot;, monospace;">keyCompromise</code> will result in the affected key being blocked for future issuance and all currently valid certificates with that key will be revoked.</p>
+<p>Revocation requests may be made at any time via the ACME API. Successful revocation requests with a reason code of <code class="font-mono">keyCompromise</code> will result in the affected key being blocked for future issuance and all currently valid certificates with that key will be revoked.</p>
 <p>All other requests for revocation must be made by emailing <a href="mailto:cert-prob-reports@letsencrypt.org">cert-prob-reports@letsencrypt.org</a>. ISRG will respond to such requests within 24 hours, though an investigation into the legitimacy of the request may take longer.</p>
 <p>An investigation into whether revocation or other appropriate action is warranted will be based on at least the following criteria:</p>
 <ol>

content/en/documents/ISRG-CPS-v2.9.html

@@ -501,7 +501,7 @@ <h3 id="492-who-can-request-revocation">4.9.2 Who can request revocation</h3>
 <p>Subscribers can revoke certificates belonging to their accounts via the ACME API if they can sign the revocation request with the associated account private key. No other information is required in such cases. A number of ACME clients support this.</p>
 <p>Certificates may be administratively revoked by ISRG if it is determined that the Subscriber has failed to meet obligations under the CP, this CPS, the relevant Subscriber Agreement, or any other applicable agreement, regulation, or law. Certificates may also be administratively revoked at the discretion of ISRG management.</p>
 <h3 id="493-procedure-for-revocation-request">4.9.3 Procedure for revocation request</h3>
-<p>Revocation requests may be made at any time via the ACME API. Successful revocation requests with a reason code of <code style="font-family: Menlo, Consolas, &quot;DejaVu Sans Mono&quot;, monospace;">keyCompromise</code> will result in the affected key being blocked for future issuance and all currently valid certificates with that key will be revoked.</p>
+<p>Revocation requests may be made at any time via the ACME API. Successful revocation requests with a reason code of <code class="font-mono">keyCompromise</code> will result in the affected key being blocked for future issuance and all currently valid certificates with that key will be revoked.</p>
 <p>Requests for revocation may also be made by emailing <a href="mailto:cert-prob-reports@letsencrypt.org">cert-prob-reports@letsencrypt.org</a>. ISRG will respond to such requests within 24 hours, though an investigation into the legitimacy of the request may take longer.</p>
 <p>An investigation into whether revocation or other appropriate action is warranted will be based on at least the following criteria:</p>
 <ol>

content/en/post/2021-01-21-next-gen-database-servers.md

@@ -20,33 +20,33 @@ One consequence of this design is that our database machines need to be pretty p
 
 The previous generation of database hardware was powerful but it was regularly being pushed to its limits. For the next generation, we wanted to more than double almost every performance metric in the same 2U form factor. In order to pull that off, we needed AMD EPYC chips and Dell’s [PowerEdge R7525](https://www.dell.com/en-us/work/shop/cty/pdp/spd/poweredge-r7525/) was ideal. Here are the specifications:
 
-<div style="display: flex; flex-direction: column; align-items: center">
+<div class="flex flex-col items-center">
 <table>
 	<tr>
-		<td style="padding: 10px;"></td>
-		<td style="padding: 10px;"><b>Previous Generation</b></td>
-		<td style="padding: 10px;"><b>Next Generation</b></td>
+		<td class="p-[10px]"></td>
+		<td class="p-[10px]"><b>Previous Generation</b></td>
+		<td class="p-[10px]"><b>Next Generation</b></td>
 	</tr>
 	<tr>
-		<td style="padding: 10px; vertical-align: top;"><b>CPU</b></td>
-		<td style="padding: 10px;">2x Intel Xeon E5-2650<br>Total 24 cores / 48 threads</td>
-		<td style="padding: 10px;">2x <a href="https://www.amd.com/en/products/cpu/amd-epyc-7452">AMD EPYC 7542</a><br>Total 64 cores / 128 threads
+		<td class="p-[10px] align-top"><b>CPU</b></td>
+		<td class="p-[10px]">2x Intel Xeon E5-2650<br>Total 24 cores / 48 threads</td>
+		<td class="p-[10px]">2x <a href="https://www.amd.com/en/products/cpu/amd-epyc-7452">AMD EPYC 7542</a><br>Total 64 cores / 128 threads
 </td>
 	</tr>
 	<tr>
-		<td style="padding: 10px; vertical-align: top;"><b>Memory</b></td>
-		<td style="padding: 10px;">1TB 2400MT/s</td>
-		<td style="padding: 10px;">2TB 3200MT/s</td>
+		<td class="p-[10px] align-top"><b>Memory</b></td>
+		<td class="p-[10px]">1TB 2400MT/s</td>
+		<td class="p-[10px]">2TB 3200MT/s</td>
 	</tr>
 	<tr>
-		<td style="padding: 10px; vertical-align: top;"><b>Storage</b></td>
-		<td style="padding: 10px;">24x 3.8TB Samsung PM883<br>SATA SSD<br>560/540 MB/s read/write</td>
-		<td style="padding: 10px;">24x 6.4TB Intel P4610<br>NVMe SSD<br>3200/3200 MB/s read/write</td>
+		<td class="p-[10px] align-top"><b>Storage</b></td>
+		<td class="p-[10px]">24x 3.8TB Samsung PM883<br>SATA SSD<br>560/540 MB/s read/write</td>
+		<td class="p-[10px]">24x 6.4TB Intel P4610<br>NVMe SSD<br>3200/3200 MB/s read/write</td>
 	</tr>
 </table>
 </div>
 
-<figure style="display: flex; flex-direction: column; align-items: center; text-align: center">
+<figure class="flex flex-col items-center text-center">
 <img src="/images/2021.01.21-next-gen-db-chassis.jpg" width="600" alt="Dell PowerEdge R7525 Chassis">
 <figcaption>Dell PowerEdge R7525 internals. The two silver rectangles in the middle are the CPUs. The RAM sticks, each 64GB, are above and below the CPUs. The 24x NVMe drives are in the front of the server, on the far left.</figcaption>
 </figure>

content/en/post/2022-04-13-receiving-the-levchin-prize.html

@@ -159,7 +159,7 @@
   <p>Thank you again. This recognition means so much to us.</p>
 </div>
 
-<hr style="height: 1px; margin: 40px 0; border: 0; background-color: #e8e8e8" />
+<hr class="h-px my-10 border-0 bg-[#e8e8e8]" />
 <div>
   <h4>Supporting Let’s Encrypt</h4>
   <p>

content/en/post/2023-07-10-cross-sign-expiration.md

@@ -28,7 +28,7 @@ The transition will roll out as follows:
 <div class="howitworks-figure">
 <img alt="Infographic of the distribution of installed Android versions, showing that 93.9% of the population is running Android 7.1 or above."
      src="/images/2023.07.10-android-version-distribution.png"
-     style="width: 50%"/>
+     class="w-1/2"/>
 </div>
 
 **If you use Android 7.0 or earlier**, you may need to take action to ensure you can still access websites secured by Let's Encrypt certificates. We recommend installing and using [Firefox Mobile](https://www.mozilla.org/en-US/firefox/browsers/mobile/android/), which uses its own trust store instead of the Android OS trust store, and therefore trusts ISRG Root X1.

content/en/post/2024-05-28-Princeton-Partnership.md

@@ -12,7 +12,7 @@ Let's Encrypt is proud to have been partnering with the [Center for Information
 
 To date, [our work with Princeton](https://www.cs.princeton.edu/~jrex/papers/multiva20.pdf) has focused on defending against BGP attacks on domain control validation via [Multi-Perspective Issuance Corroboration (MPIC)](https://letsencrypt.org/2020/02/19/multi-perspective-validation.html). This year, Let's Encrypt is adding [two new remote perspectives](https://community.letsencrypt.org/t/lets-encrypt-is-adding-two-new-remote-perspectives-for-domain-validation/214123) for domain validation. This means we will make five total validation requests, one from the primary datacenter and four from remote perspectives (previously two). Increased perspectives provide more domain validation security, thus improving visibility and protection against BGP attacks.
 
-<figure class="blog-post-image" style="margin-bottom: 20px; display: flex; flex-direction: column; align-items: center; text-align: center">
+<figure class="blog-post-image mb-5 flex flex-col items-center text-center">
 <img src="/images/2024.05.28.le-new-config.png">
 <figcaption>Additional global vantage points increase resilience of Let’s Encrypt issuance. Source: Princeton Center for Information Technology Policy</figcaption>
 </figure>

content/en/post/2025-02-14-encryption-for-everybody.md

@@ -10,7 +10,7 @@ display_inline_newsletter_embed: false
 
 
 <div class="card border-0 pic-quote-right">
-    <img alt="Let's Encrypt 10th Anniversary logo " class="mx-auto img-fluid" src="/images/blog/10A-Logo.png" style="max-width: 200px; margin-bottom: 20px;" />
+    <img alt="Let's Encrypt 10th Anniversary logo " class="mx-auto img-fluid max-w-[200px] mb-5" src="/images/blog/10A-Logo.png" />
 </div>
 
 2025 marks ten years of Let's Encrypt. Already this year we've taken steps to continue to deliver on our values of [user privacy](https://letsencrypt.org/2025/01/22/ending-expiration-emails/), [efficiency](https://letsencrypt.org/2025/01/30/scaling-rate-limits/), and [innovation](https://letsencrypt.org/2025/01/09/acme-profiles/), all with the intent of continuing to deliver free TLS certificates to as many people as possible; to deliver encryption for everybody.

content/fr/certificates.md

@@ -202,14 +202,14 @@ Il existe parfois plus d'une chaîne valide pour un certificat donné : par exem
 
 Les certificats d'abonné avec des clés publiques RSA sont délivrés par nos intermédiaires RSA, qui sont délivrés uniquement par notre racine RSA ISRG Root X1 (c'est-à-dire qu'ils ne font pas l'objet d'une signature croisée). Par conséquent, tous les certificats d'abonné RSA ne disposent que d'une seule chaîne :
 
-<div style="text-align: center">
+<div class="text-center">
 RSA Subcriber Cert ← RSA Intermediate (R10 or R11) ← ISRG Root X1
 </div>
 <p><!-- to get the right line spacing after a block element --></p>
 
 Les certificats d'abonné avec des clés publiques ECDSA sont délivrés par nos intermédiaires ECDSA, qui sont délivrés à la fois par notre racine RSA de l'ISRG X1 et par notre racine ECDSA de l'ISRG X2 (c'est-à-dire qu'ils font l'objet d'une signature croisée). C'est pourquoi nous proposons deux chaînes pour ces certificats :
 
-<div style="text-align: center">
+<div class="text-center">
 ECDSA Subcriber Cert ← ECDSA Intermediate (E5 or E6) ← ISRG Root X1
 
 ECDSA Subcriber Cert ← ECDSA Intermediate (E5 or E6) ← ISRG Root X2

content/fr/contact.md

@@ -22,18 +22,7 @@ Courriel : [sponsor@letsencrypt.org](mailto:sponsor@letsencrypt.org)
 
 ## Abonnez-vous à notre newsletter
 
-<iframe id="newsletter-iframe-inline" src="https://outreach.abetterinternet.org/l/1011011/2025-01-14/31v6r" style="width: 100%; border: 0; overflow: hidden;"></iframe>
-<script>
-let hasResized = false;
-window.addEventListener('message', function(e) {
-    if (hasResized) return; // Only allow one resize
-    if (e.origin !== 'https://outreach.abetterinternet.org') return;
-    if (e.data && typeof e.data === 'object' && e.data.type === 'resize' && e.data.height) {
-        hasResized = true;
-        document.getElementById('newsletter-iframe-inline').style.height = (e.data.height + 20) + 'px';
-    }
-});
-</script>
+{{< newsletter-inline >}}
 
 ## Confidentialité
 

content/he/contact.md

@@ -28,18 +28,7 @@ should_hide_footer_newsletter: true
 
 ## הרשמה לרשימת הדיוור שלנו
 
-<iframe id="newsletter-iframe-inline" src="https://outreach.abetterinternet.org/l/1011011/2025-01-14/31v6r" style="width: 100%; border: 0; overflow: hidden;"></iframe>
-<script>
-let hasResized = false;
-window.addEventListener('message', function(e) {
-    if (hasResized) return; // Only allow one resize
-    if (e.origin !== 'https://outreach.abetterinternet.org') return;
-    if (e.data && typeof e.data === 'object' && e.data.type === 'resize' && e.data.height) {
-        hasResized = true;
-        document.getElementById('newsletter-iframe-inline').style.height = (e.data.height + 20) + 'px';
-    }
-});
-</script>
+{{< newsletter-inline >}}
 
 ## פרטיות
 

content/it/contact.md

@@ -22,18 +22,7 @@ Email: [sponsor@letsencrypt.org](mailto:sponsor@letsencrypt.org)
 
 ## Iscriviti alla nostra newsletter
 
-<iframe id="newsletter-iframe-inline" src="https://outreach.abetterinternet.org/l/1011011/2025-01-14/31v6r" style="width: 100%; border: 0; overflow: hidden;"></iframe>
-<script>
-let hasResized = false;
-window.addEventListener('message', function(e) {
-    if (hasResized) return; // Only allow one resize
-    if (e.origin !== 'https://outreach.abetterinternet.org') return;
-    if (e.data && typeof e.data === 'object' && e.data.type === 'resize' && e.data.height) {
-        hasResized = true;
-        document.getElementById('newsletter-iframe-inline').style.height = (e.data.height + 20) + 'px';
-    }
-});
-</script>
+{{< newsletter-inline >}}
 
 ## Privacy
 

content/ja/contact.md

@@ -22,18 +22,7 @@ Email: [sponsor@letsencrypt.org](mailto:sponsor@letsencrypt.org)
 
 ## ニュースレターを購読
 
-<iframe id="newsletter-iframe-inline" src="https://outreach.abetterinternet.org/l/1011011/2025-01-14/31v6r" style="width: 100%; border: 0; overflow: hidden;"></iframe>
-<script>
-let hasResized = false;
-window.addEventListener('message', function(e) {
-    if (hasResized) return; // Only allow one resize
-    if (e.origin !== 'https://outreach.abetterinternet.org') return;
-    if (e.data && typeof e.data === 'object' && e.data.type === 'resize' && e.data.height) {
-        hasResized = true;
-        document.getElementById('newsletter-iframe-inline').style.height = (e.data.height + 20) + 'px';
-    }
-});
-</script>
+{{< newsletter-inline >}}
 
 ## プライバシー
 

content/ru/contact.md

@@ -28,18 +28,7 @@ should_hide_footer_newsletter: true
 
 ## Подпишитесь на нашу рассылку
 
-<iframe id="newsletter-iframe-inline" src="https://outreach.abetterinternet.org/l/1011011/2025-01-14/31v6r" style="width: 100%; border: 0; overflow: hidden;"></iframe>
-<script>
-let hasResized = false;
-window.addEventListener('message', function(e) {
-    if (hasResized) return; // Only allow one resize
-    if (e.origin !== 'https://outreach.abetterinternet.org') return;
-    if (e.data && typeof e.data === 'object' && e.data.type === 'resize' && e.data.height) {
-        hasResized = true;
-        document.getElementById('newsletter-iframe-inline').style.height = (e.data.height + 20) + 'px';
-    }
-});
-</script>
+{{< newsletter-inline >}}
 
 ## Конфиденциальность