Remove unsafe-inline from CSP #984

tunetheweb · 2020-07-08T16:57:27Z

We allow inline-styles in case Authors want to use them. However few do and in #965 we cleaned them all up to use classes instead.

Should we remove unsafe-inline from our CSP as per best practice?

Or do we think we want to keep the ability to have in-line styles directly in HTML elements?

We still have some <style> code directly in our HTML templates in the <head>, but they are easily handled with a nonce same as we do for scripts:

So, from this:

<style>
...
</style>

to this:

<style nonce="{{ csp_nonce() }}">
...
</style>

And would need to add style-src to our nonce config:

Line 30 in db9bc92

content_security_policy_nonce_in=['script-src'])

As we already use this for script-src I think this is safe to do.

The text was updated successfully, but these errors were encountered:

rviscomi · 2020-07-08T23:46:44Z

This seems like a good idea

tunetheweb added the development Building the Almanac tech stack label Jul 8, 2020

tunetheweb added this to the 2019 Backlog milestone Jul 8, 2020

tunetheweb added the good first issue Good for newcomers label Jul 8, 2020

tunetheweb mentioned this issue Jul 12, 2020

Remove inline styles from CSP #1010

Merged

tunetheweb self-assigned this Jul 12, 2020

tunetheweb closed this as completed in #1010 Jul 13, 2020

Provide feedback