Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove 'unsafe-inline' from Content-Security-Policy style-src #13679

Merged
merged 2 commits into from
May 8, 2020

Conversation

ClearlyClaire
Copy link
Contributor

@ClearlyClaire ClearlyClaire commented May 8, 2020

Add wicg-inert's dynamically-inserted CSS rules to a static stylesheet, and remove 'unsafe-inline' from the style-src directive.
Until wicg-inert is fixed (WICG/inert#148), it will still attempt to dynamically insert those rules, leading to a warning, but no loss in functionality.

@Gargron Gargron merged commit e1629a7 into mastodon:master May 8, 2020
@dfgweb
Copy link

dfgweb commented Jul 24, 2020

CSS customization on client side using the Stylish Firefox extension for example don't work anymore with the unsafe-inline removed.

@ClearlyClaire
Copy link
Contributor Author

ClearlyClaire commented Jul 24, 2020

I do not have this issue with the similar Stylus Firefox extension, so that's definitely a thing extensions need to, and can handle.

Furthermore, unlike Stylus, Stylish seems unmaintained, and has been the subject of a privacy scandal a while ago.

@dfgweb
Copy link

dfgweb commented Jul 24, 2020

Just learn about Stylus while searching why Stylish not work anymore. Found that last update of Stylish is from long long time ago, so I switch to Stylus. And no problem anymore.

Sorry for the noise. Just hope these two little comments will help other user that will be faced the same problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants