remove CSP styles 'unsafe-inline' exeption

Simon-Laux commented 3 years ago

[ ] load theme css from file from dc scheme (make sure to not forget support for custom themes, maybe just rewrite the file path to the configured theme. (theme-manager still needs to modify the css import on theme change to trigger theme reload so just removing it and referencing a single theme address like dc://deltachat/theme.css won't work)
[ ] react-virtualized injects an inline style element called detectElementResize
[ ] hidden area inline style of the color-input must be moved into the main stylesheet.

Simon-Laux commented 3 years ago

Change: file scheme instead of dc scheme for loading themes since #2171

Simon-Laux commented 1 year ago

I don't really see this css CSP thing as a real security vulnerabilty. But If you can change my mind (show me how it can be abused in deltachat), I'll reconsider.

deltachat / deltachat-desktop

remove CSP styles 'unsafe-inline' exeption #2105