mikesol
commented
1 year ago Thanks for the recommendation! I have to read up a bit more on inline CSS to understand the security issues, but once I grok it I'll add a note to the docs.
Closed toastal closed 4 weeks ago
mikesol
commented
1 year ago Thanks for the recommendation! I have to read up a bit more on inline CSS to understand the security issues, but once I grok it I'll add a note to the docs.
mikesol
commented
4 weeks ago Sorry it took me a while to respond to this. I'm going to forego including it in the docs, not because I don't agree with the practice (I do!) but rather because, as you anticipated, it's out of scope for these docs.
A Content Security Policy should be implemented in every opportunity for better site security. For what should be obvious reasons,
style-src: unsafe-inlineis never recommended. However, the documentation has a number of instance of showing off inline CSS,style_, etc. which will likely requireunsafe-inline. This could be seen as "out of scope" for the project, but when enticing users into features, they should be reminded of the any negative trade-offs when present. Technically you can use nonces, but this wildly complicates a build when the simpler option is to just use external CSS.