Open reixav opened 2 months ago
Trying to enable CSP in webserver and serve mdbook is a little bit difficult as inline scripts are not recommended by default. Perhaps you could implement hash-like scripts:
<script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>
and from unsafe inline scripts to nonce
No response
I have tested with nginx with:
add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self'; img-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; frame-ancestors 'none'; form-action 'none'; script-src 'self' 'unsafe-inline' ; block-all-mixed-content" always;
Problem
Trying to enable CSP in webserver and serve mdbook is a little bit difficult as inline scripts are not recommended by default. Perhaps you could implement hash-like scripts:
and from unsafe inline scripts to nonce
Proposed Solution
No response
Notes
I have tested with nginx with: