Skip to content

Commit

Permalink
Backport #32759 (#32832)
Browse files Browse the repository at this point in the history
Mention CSP and embedded SVGs in v4 docs
  • Loading branch information
mdo authored Jan 19, 2021
1 parent d2477ab commit 9c4abcc
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions site/content/docs/4.5/getting-started/introduction.md
Original file line number Diff line number Diff line change
Expand Up @@ -160,3 +160,17 @@ Stay up to date on the development of Bootstrap and reach out to the community w
- Developers should use the keyword `bootstrap` on packages which modify or add to the functionality of Bootstrap when distributing through [npm](https://www.npmjs.com/search?q=keywords:bootstrap) or similar delivery mechanisms for maximum discoverability.

You can also follow [@getbootstrap on Twitter](https://twitter.com/{{< param twitter >}}) for the latest gossip and awesome music videos.

## CSPs and embedded SVGs

Several Bootstrap components include embedded SVGs in our CSS to style components consistently and easily across browsers and devices. **For organizations with more strict <abbr title="Content Security Policy">CSP</abbr> configurations**, we've documented all instances of our embedded SVGs (all of which are applied via `background-image`) so you can more thoroughly review your options.

- [Close button]({{< docsref "/utilities/close-icon" >}}) (used in alerts and modals)
- [Custom checkboxes and radio buttons]({{< docsref "/components/forms#custom-forms" >}})
- [Form switches]({{< docsref "/components/forms#switches" >}})
- [Form validation icons]({{< docsref "/components/forms#validation" >}})
- [Custom select menus]({{< docsref "/components/forms#select-menu" >}})
- [Carousel controls]({{< docsref "/components/carousel#with-controls" >}})
- [Navbar toggle buttons]({{< docsref "/components/navbar#responsive-behaviors" >}})

Based on [community conversation](https://github.com/twbs/bootstrap/issues/25394), some options for addressing this in your own codebase include replacing the URLs with locally hosted assets, removing the images and using inline images (not possible in all components), and modifying your CSP. Our recommendation is to carefully review your own security policies and decide on a best path forward, if necessary.

0 comments on commit 9c4abcc

Please sign in to comment.