Closed Udera closed 7 years ago
I think we should make this configurable, via variables.php
.
E.g. $allowframing = false;
by default or something like that.
There is a problem with inline-code (java-script/css) that is not supported by default: https://developer.chrome.com/extensions/contentSecurityPolicy#JSExecution
We have some pages where we use onload
to focus on the first form field, we can replace this by putting autofocus
into the field which is supposed to be focused (supported by HTML 5). Another example is the automatic password generator and a few cases with inline css code.
Not sure if it is worth working over all these examples to make CSP work.
This option is now configurable and disabled by default. PR updated.
Fix #209