Browse Source

Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)

* Make sure wicg-inert doesn't rely on inline CSS

* Remove unsafe-inline from style-src
tags/v3.1.4
ThibG 5 months ago
committed by GitHub
parent
commit
e1629a7758
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 1 deletions
  1. +2
    -0
      app/views/layouts/application.html.haml
  2. +1
    -1
      config/initializers/content_security_policy.rb
  3. +11
    -0
      public/inert.css

+ 2
- 0
app/views/layouts/application.html.haml View File

@@ -26,6 +26,8 @@
= javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
= csrf_meta_tags

= stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'

- if Setting.custom_css.present?
= stylesheet_link_tag custom_css_path, media: 'all'



+ 1
- 1
config/initializers/content_security_policy.rb View File

@@ -22,7 +22,7 @@ Rails.application.config.content_security_policy do |p|
p.frame_ancestors :none
p.font_src :self, assets_host
p.img_src :self, :https, :data, :blob, assets_host
p.style_src :self, :unsafe_inline, assets_host
p.style_src :self, assets_host
p.media_src :self, :https, :data, assets_host
p.frame_src :self, :https
p.manifest_src :self, assets_host


+ 11
- 0
public/inert.css View File

@@ -0,0 +1,11 @@
[inert] {
pointer-events: none;
cursor: default;
}

[inert], [inert] * {
user-select: none;
-webkit-user-select: none;
-moz-user-select: none;
-ms-user-select: none;
}

Loading…
Cancel
Save