You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
I'm using this theme to host my blog at cirriustech.co.uk and I use a Content-Security-Policy HTTP Header to ensure the security of the site.
In most cases, any inline scripts or styles I can generate a hash of them and use the hash in the CSP to ensure the integrity of the resources.
However, there are 2 places where inline event handlers are used and these can't use hashes. Nonces are an alternative but they are not trivial when using a static site generator like Hugo and would require the use of some sort of Edge Worker/Function in Javascript with Netlify who I use to host my site.
So for now I have to set 'unsafe-inline' for both script-src and style-src which is insecure and considered a bad practice.
Please consider changes to avoid all inline scripts and inline styles.
To Reproduce
Steps to reproduce the behavior:
Apply a Content-Security-Policy header via your webserver, or if using Netlify, the netlify.toml file e.g.
Build site and then browse to site - notice that several elements of CSS and fonts are broken
Press F12 to enter developer tools in browser and view Console
See errors such as below (will show as line 1 as it's minified but the offending code for this is, I think, media=print onload='this.media="all and <body class=light onload=loading()><script>window.matchMedia("(prefers-color-scheme: dark)").matches&&document.body.classList.add("dark")</script>:
develop--cirriustech-bend.netlify.app/:1
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' c.disquscdn.com cirriustech.disqus.com *.cirriustech.co.uk platform.twitter.com d33wubrfki0l68.cloudfront.net cdn.jsdelivr.net". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
develop--cirriustech-bend.netlify.app/:1
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' c.disquscdn.com cirriustech.disqus.com *.cirriustech.co.uk platform.twitter.com d33wubrfki0l68.cloudfront.net cdn.jsdelivr.net". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
Describe the bug
I'm using this theme to host my blog at cirriustech.co.uk and I use a Content-Security-Policy HTTP Header to ensure the security of the site.
In most cases, any inline scripts or styles I can generate a hash of them and use the hash in the CSP to ensure the integrity of the resources.
However, there are 2 places where inline event handlers are used and these can't use hashes. Nonces are an alternative but they are not trivial when using a static site generator like Hugo and would require the use of some sort of Edge Worker/Function in Javascript with Netlify who I use to host my site.
So for now I have to set
'unsafe-inline'
for bothscript-src
andstyle-src
which is insecure and considered a bad practice.Please consider changes to avoid all inline scripts and inline styles.
To Reproduce
Steps to reproduce the behavior:
media=print onload='this.media="all
and<body class=light onload=loading()><script>window.matchMedia("(prefers-color-scheme: dark)").matches&&document.body.classList.add("dark")</script>
:Expected behavior
I would expect these to either not be inline, or to move the handler into javascript such as solution 1 here https://makandracards.com/makandra/503862-using-inline-event-handlers-with-a-strict-content-security-policy-csp
I may have a go at this myself but I am far from a web developer!
Screenshots
N/A
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context
N/A
The text was updated successfully, but these errors were encountered: