Replies: 4 comments
-
|
I'm aligned with @Yannik's viewpoint regarding CSP implementation in the package. I believe that either automatically removing nonces when Thanks |
Beta Was this translation helpful? Give feedback.
-
|
Feel free to submit a PR 👍 |
Beta Was this translation helpful? Give feedback.
-
|
That would be amazing ! Actual example is using tinymce requiring 'unsafe-inline' for style... https://www.tiny.cloud/docs/tinymce/latest/tinymce-and-csp/ |
Beta Was this translation helpful? Give feedback.
-
|
PR created for this: #132 |
Beta Was this translation helpful? Give feedback.
-
I have a quiet complicated CSP, which is optimized for minimal permissions, but for some pages is more open due to third party library requirements (e.g. mapbox).
By default, hashes are set for inline styles, but sometimes, it it necessary to set
unsafe-inlinebecause the hashes cannot be precomputed.In this case, it would be very useful to either a) automatically or b) manually remove the hash/nonce directives, because otherwise
unsafe-inlineis ignored by the client browser per the CSP spec.@freekmurze What do you think about this?
Beta Was this translation helpful? Give feedback.
All reactions