Inline Style doesn't work with Content Security Policy #2087
Comments
|
My understanding of CSP is rusty at the moment 😓 How did you enable CSP in your app? Do you know what the alternatives are? |
|
That's pretty straight forward - see https://edgeguides.rubyonrails.org/security.html#content-security-policy In Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https
policy.style_src :self, :https
endIf you want to allow inline style and js (but only in a separate tag) you need to activate nonce generation: Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
Rails.application.config.content_security_policy_nonce_directives = %w(script-src style-src)This way you could so things like: <%= javascript_tag nonce: true do %>
<% end -%>
<style type="text/css" nonce="<%= content_security_policy_nonce %>">
</style>But as I said earlier it would be a cleaner solution if that |
|
I see, that makes sense. I wonder if the style was put inline originally due to some browser incompatibility or some such? Browsers are better-behaved creatures these days, so perhaps we can try move this into the stylesheets as you first proposed. Would you be able to create a PR? |
|
It was the grammarly browser extension for me that I had to disable 🤦🏽♂️ |
|
@kaka-ruto - Thank you for sharing that! 🙌 It may be helpful to other people who end up here in the future. |
Hello,
after enabling CSP I get this error in the browser console when opening administrate:
Referencing this line:
Maybe this simple style could be transferred to the administrate css?
Greetings,
Michael
The text was updated successfully, but these errors were encountered: