Skip to content

Add privacy policy #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
oscarvz wants to merge 1 commit into from
Closed

Add privacy policy #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions src/pages/privacy-policy.astro
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
import StarlightPage from "@astrojs/starlight/components/StarlightPage.astro";
---

<StarlightPage
frontmatter={{
title: "Privacy Policy",
description: "Fiberplane Privacy Policy",
template: "splash"
}}
>
<!-- @ts-expect-error Termly won't render without ¯\_(ツ)_/¯ -->
<div name="termly-embed" data-id="a410debf-2132-4f59-9a6e-9de1f47295ff"></div>

<script>
(function (d, s, id) {
var js,
tjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s);

if (js instanceof HTMLScriptElement && tjs.parentNode) {
js.id = id;
js.src = "https://app.termly.io/embed-policy.min.js";
tjs.parentNode.insertBefore(js, tjs);
}
})(document, "script", "termly-jssdk");
</script>
Comment on lines +12 to +28
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Consider privacy implications of third-party embed.

Loading a third-party service (Termly) on your privacy policy page may result in user tracking or data collection by Termly. Ensure this is compliant with your privacy policy and consider whether visitors should be notified.

You may want to review Termly's privacy practices:

🌐 Web query:

What data does Termly collect from embed-policy.min.js visitors?

💡 Result:

Short answer — Termly's embed-policy.min.js (the script used to embed Termly-hosted policies) collects minimal visitor and device/usage data needed to render and log consent. According to Termly's docs and privacy info this includes things like:

  • consent logs and cookie preferences (what the visitor accepted/declined). [1][2]
  • technical/browser/device identifiers: IP address, browser and device characteristics, OS, language, user-agent. [1][3]
  • request/usage metadata: referring URL, timestamps, pages visited and other basic log/usage data. [1][3]
    Termly also says it minimizes/anonymizes visitor data and offers an EU-only data storage option for consents. [1][2]

Sources: Termly support & privacy pages summarizing “visitor data” and embed usage. [1][2][3]


---

🏁 Script executed:

```shell
#!/bin/bash
# Check the full privacy-policy.astro file for any disclosure about Termly or third-party tracking
cat src/pages/privacy-policy.astro | head -80

Length of output: 812

Ensure Termly's data collection is properly disclosed on the privacy policy page.

The privacy-policy.astro file loads Termly's embed script without visible disclosure. Termly collects consent logs, IP address, browser and device identifiers, OS, language, user-agent, referring URLs, timestamps, and pages visited. Since visitors come to this page specifically to review privacy practices, consider adding a disclosure about this third-party tracking or verify that Termly's hosted policy embedded on this page adequately discloses this data collection.

Comment on lines +15 to +28
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Add Subresource Integrity (SRI) for external script.

Loading the Termly SDK without Subresource Integrity verification creates a security risk. If the external domain is compromised, malicious code could be injected into your privacy policy page.

Consider adding SRI attributes. First, check Termly's documentation for their recommended implementation:

If SRI is not available from Termly, consider these alternatives:

  1. Host the Termly script on your own CDN with SRI
  2. Implement a Content Security Policy (CSP) to restrict script sources
  3. Contact Termly support to request SRI support

Additionally, verify your site's CSP allows scripts from app.termly.io:

🏁 Script executed:

#!/bin/bash
# Description: Check for Content Security Policy configuration

echo "Searching for CSP configuration..."
rg -n "Content-Security-Policy" -A 5
rg -n "script-src" -A 3

Length of output: 34

🌐 Web query:

Does Termly provide Subresource Integrity hash for embed-policy.min.js?

💡 Result:

Short answer: No — Termly’s documentation and embed snippets do not provide a Subresource Integrity (integrity) hash for embed-policy.min.js. Their examples use a plain src to https://app.termly.io/embed-policy.min.js (or newer app.termly.io resource URLs) without an integrity attribute. [1][2]

If you need SRI, you can fetch the file yourself, compute the SHA256/384/512 hash, and add an integrity attribute — but note that Termly may update that hosted file (breaking the hash) unless you self-host a stable copy. [1][2]

Sources:

  • Termly embed (React) example showing script src (no integrity). [1]
  • Termly CMP embed script versions (lists hosted script URLs; no integrity/hash provided). [2]

I need to check for CSP configuration at the deployment/build level, as it may not be in the source code directly.

🏁 Script executed:

#!/bin/bash
# Description: Search for deployment and build configuration files

echo "Searching for deployment configuration files..."
fd -e "astro.config" -o -e "astro.config.mjs" -o -e "astro.config.ts" -o -e "netlify.toml" -o -e "vercel.json" -o -e "_headers" -o -e "_redirects" 2>/dev/null

echo ""
echo "Checking for astro integrations or middleware that might set headers..."
rg -n "setHeader|addHeader|middleware" --type ts --type js -B 2 -A 2 2>/dev/null | head -30

echo ""
echo "Looking for security-related configuration..."
rg -n "secure|security|header" --type ts --type js --type toml --type json -i 2>/dev/null | head -20

Length of output: 167

Add Subresource Integrity (SRI) or implement Content Security Policy for external Termly script.

Termly does not provide a Subresource Integrity (integrity) hash for embed-policy.min.js, and no Content Security Policy is configured in the codebase to restrict the script source. Loading this external script without protection creates a security risk—if app.termly.io is compromised, malicious code could be injected.

Recommended mitigations:

  1. Self-host the Termly script on your own CDN with SRI verification
  2. Implement a Content Security Policy (CSP) header to restrict script-src to approved domains
  3. Contact Termly support to request they provide an SRI hash for the hosted script
🤖 Prompt for AI Agents 
In src/pages/privacy-policy.astro around lines 15 to 28 the external Termly
script is injected without Subresource Integrity or any Content Security Policy,
exposing the app to supply-chain/script injection risk; fix this by either
self-hosting the embed-policy.min.js on your CDN and adding an integrity hash
and crossorigin attribute to the script include, or implement a CSP header (or
meta CSP) that restricts script-src to trusted origins and/or uses nonces for
inline script execution; if you must keep the remote script, request an SRI hash
from Termly and include it (or else add a strict CSP that only allows
app.termly.io and your CDN), and ensure you test that the script still loads and
that crossorigin is set appropriately for SRI verification.

</StarlightPage>