Open cwaldbieser opened 3 years ago
For later references, this specific CSP allows the inline icons font from Wave UI and it still fairly restrictive.
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:;"
</IfModule>
On one hand it is very convenient and optimized to have this icons set embedded in a few lines of code (this set will likely not change in any near future, and it spares an extra HTTP request unless it's already bundled.) On another hand I understand this is not a best practice to allow styles sources to be inline in data. This is why this issue stays open forever until I resolve myself to change the behavior or close.
Later other votes could also motivate the change.
_icons.scss uses a data: uri. This can be blocked by strict content security policies. Could the font just be moved to an actual asset file?