search

biati-digital / glightbox

Pure Javascript lightbox with mobile support. It can handle images, videos with autoplay, inline content and iframes
MIT License
2.03k stars 228 forks source link

Content Security Policy (CSP) Nonce support #402

Closed chrish123 closed 1 year ago

chrish123 commented 1 year ago

Hi,

Would it be possible to add an option to add a nonce value eg 'nonce': <%:csp_nonce%>' to the initialisation of glightbox which is then passed on to the dynamically generated tags?

I have a content security policy on my website and I'm loading the script with: <script nonce="<?php echo $csp_nonce;?>" src="<?php echo $domain;?>/assets/vendor/glightbox/js/glightbox.min.js"></script>

I could probably modify the source code of the un-minified glightbox.js script, as it generates dynamic script and style tags when the lightbox is enabled and navigation appears etc, and using 'strict-dynamic' in the CSP does not seem to work.

gingerchew commented 1 year ago

If you add the Plyr script statically before the Glightbox script, it should work. Glightbox checks for Plyr in the window object before adding the assets.