Add support for strict Content Security Policy

helloflask / bootstrap-flask

Bootstrap 4 & 5 helper for your Flask projects.

https://bootstrap-flask.readthedocs.io

Other

1.1k stars 189 forks source link

Add support for strict Content Security Policy #252

Closed Dosenpfand closed 1 year ago

Dosenpfand commented 1 year ago

To support the usage of Boostrap-Flask together with a strict Content Security Policy (CSP), to have a defense in depth against XSS attacks, the following changes have been made:

Remove inline style declarations, use classes instead
Remove inline JS, use HTML + CSS instead
Add support of nonces with JS includes
Add basic usage documentation

If desired I can still add an example and/or test case for this use case.

greyli commented 1 year ago

Thanks for working on this. Please add tests and update the changelog.

Dosenpfand commented 1 year ago

Thanks for the feedback. I added the changelog entry, added tests and fixed the 2 findings.

greyli commented 1 year ago

Merged, thanks!