Closed michaelbaisch closed 2 years ago
My understanding of CSP is rusty at the moment :sweat: How did you enable CSP in your app? Do you know what the alternatives are?
That's pretty straight forward - see https://edgeguides.rubyonrails.org/security.html#content-security-policy
In config/initializers/content_security_policy.rb
active this:
Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https
policy.style_src :self, :https
end
If you want to allow inline style and js (but only in a separate tag) you need to activate nonce generation:
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
Rails.application.config.content_security_policy_nonce_directives = %w(script-src style-src)
This way you could so things like:
<%= javascript_tag nonce: true do %>
<% end -%>
<style type="text/css" nonce="<%= content_security_policy_nonce %>">
</style>
But as I said earlier it would be a cleaner solution if that display: none
would be in a regular css file and not inline.
I see, that makes sense. I wonder if the style was put inline originally due to some browser incompatibility or some such?
Browsers are better-behaved creatures these days, so perhaps we can try move this into the stylesheets as you first proposed. Would you be able to create a PR?
It was the grammarly browser extension for me that I had to disable 🤦🏽♂️
@kaka-ruto - Thank you for sharing that! 🙌 It may be helpful to other people who end up here in the future.
Hello,
after enabling CSP I get this error in the browser console when opening administrate:
Referencing this line:
Maybe this simple style could be transferred to the administrate css?
Greetings, Michael