CSP, Content Security Policy

[itst]

I am struggling to make the webplayer work on a site using CSP.

The issue seems to be that Podlove, once loaded from the whitelisted cdn.podlove.org location, and using a nonce'd episode config, sets out to create additional script, style, and iframe tags. The ifames contain additional script and style tags.

Console looks like this: https://imgur.com/T3m8khq

Before I get into an argument to 'unsafe-inline' everything, is CSP support anywhere on your roadmap?

[alexander-heimbuch]

Hey Sascha, a lot of elements are created in a dynamic manner. Especially creating the sandboxing iframe without a src is a potential issue for CSP. So I guess there won't be any other way than unsafe-inline. If you know a compliant solution I would appreciate any help.

[itst]

I don‘t know about source-less iframes - could that work via Subresource Integrity?

This left aside, in the past I used this approach. Call the parent element with an additional attribute/parameter data-nonce and reuse this nonce on all instances created by the parent.