Closed toastal closed 4 weeks ago
Thanks for the recommendation! I have to read up a bit more on inline CSS to understand the security issues, but once I grok it I'll add a note to the docs.
Sorry it took me a while to respond to this. I'm going to forego including it in the docs, not because I don't agree with the practice (I do!) but rather because, as you anticipated, it's out of scope for these docs.
A Content Security Policy should be implemented in every opportunity for better site security. For what should be obvious reasons,
style-src: unsafe-inline
is never recommended. However, the documentation has a number of instance of showing off inline CSS,style_
, etc. which will likely requireunsafe-inline
. This could be seen as "out of scope" for the project, but when enticing users into features, they should be reminded of the any negative trade-offs when present. Technically you can use nonces, but this wildly complicates a build when the simpler option is to just use external CSS.