[bootstrap] make bootstrap work out of the box with common Content-Security-Policy

[appliedprivacy]

bootstrap currently uses inline scripts (for fancydates) which does not work nicely with CSP unless you add hashes for these inline scripts to your policy.

Also after taking care of the inline scripts there appears to be a problem with the old jQuery version (1.11.x).

CSP policy used:

default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

CSP violation as seen in the error console:

Content Security Policy: The page’s settings blocked the loading of a resource at 
self  [...] Source: onfocusin attribute on DIV element.

references to this problem: https://github.com/IdentityServer/IdentityServer3/issues/3338 https://github.com/atech/postal/issues/280 https://bugzilla.mozilla.org/show_bug.cgi?id=1336076

It would be great if you could:

• avoid incline scripts
• try to update jQuery to see if this addresses the second issue

thanks!

[Kwpolska]

Are you talking about the outdated bootstrap (2) theme? We don’t support that. bootstrap4 on getnikola/nikola@master uses jQuery 3.x, which is not compatible with bs2 and bs3.

And I don’t think we can easily avoid that inline script, because we need to pass some settings to the fancydates function.

[appliedprivacy]

Yes I was using: https://themes.getnikola.com/v7/bootstrap/

sorry for the noise