Open kmindi opened 1 month ago
Hey, you are right that you have to add unsafe-inline
to either style-src
or default-src
. I will look into why this isn't documented yet!
Alternatively, you can set skipStyleInjection
and add your own style sheet (or copy ours) to style the widget. This way you can avoid the CSP issue.
Thanks already!, Yet, adding it seems to have no effect because we use a nonce, but don't know why it does not work with that nonce, it should be set at all places...
Hi,
I have not yet created a MVP or anything similar to further dig down, but apparently the recommended settings https://docs.friendlycaptcha.com/#/csp miss a step about the style-src / style-src-elem.
The widget.module.js injects a style element, which is blocked on a page with the following Content-Security-Policy Error in Chrome:
Thanks for confirming or looking into it. I'm happy to provide more information if needed and update this issue.