Open vicolsson opened 1 year ago
jasonvarga
commented
1 year ago The inline script with data: was introduced in https://github.com/statamic/cms/pull/6869
The reason was so we could defer Statamic.start() until after other Vite modules are loaded.
If someone more familiar with JS can provide an alternative that would be appreciated. It might be simple! The data: solution just worked so we went with it. Didn't think about CSP at the time.
ryanmitchell
commented
1 year ago Is there any reason why the Statamic.start() cant just be in another script tag with a defer on it? That would solve the CSP side of things.
[Edit] for clarity I mean put the code in an actual .js file - it seems that specific code is always the same.
jasonvarga
commented
1 year ago Probably could. I haven't tried it. Making a whole file just for one line probably seemed like overkill at the time. Again, didn't even consider CSP then.
jasonvarga
commented
1 year ago Oh actually the object passed to Statamic.config() is built using PHP, so it couldn't be in a file. That'd be why.
Bug description
We've recently upgraded our Statamic sites (after way to long) and now it clashes with out CSP headers. It's this line https://github.com/statamic/cms/blob/master/resources/views/partials/scripts.blade.php#L24
Due to strict security regulations on our sites we must have CSP headers that regulate from where scripts can be loaded. Loading scripts as "data:..." is sadly not allowed. So that's currently blocking us from publishing the updated sites.
Do you think you'd be able to build some workaround? We've already opened up 'unsafe-inline' for Statamic if that helps.
How to reproduce
Deploy Statamic to a host with:
Content-Security-Policy: script-src 'self' 'unsafe-inline'Open up /cp and you get an error in the console and the CP doesn't work.Logs
No response
Environment
Installation
Fresh statamic/statamic site via CLI
Antlers Parser
None
Additional details
No response