Browse Source

Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)

* Make sure wicg-inert doesn't rely on inline CSS

* Remove unsafe-inline from style-src
ThibG 3 months ago
parent
commit
e1629a7758
No account linked to committer's email address

+ 2
- 0
app/views/layouts/application.html.haml View File

@@ -26,6 +26,8 @@
26 26
     = javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
27 27
     = csrf_meta_tags
28 28
 
29
+    = stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'
30
+
29 31
     - if Setting.custom_css.present?
30 32
       = stylesheet_link_tag custom_css_path, media: 'all'
31 33
 

+ 1
- 1
config/initializers/content_security_policy.rb View File

@@ -22,7 +22,7 @@ Rails.application.config.content_security_policy do |p|
22 22
   p.frame_ancestors :none
23 23
   p.font_src        :self, assets_host
24 24
   p.img_src         :self, :https, :data, :blob, assets_host
25
-  p.style_src       :self, :unsafe_inline, assets_host
25
+  p.style_src       :self, assets_host
26 26
   p.media_src       :self, :https, :data, assets_host
27 27
   p.frame_src       :self, :https
28 28
   p.manifest_src    :self, assets_host

+ 11
- 0
public/inert.css View File

@@ -0,0 +1,11 @@
1
+[inert] {
2
+  pointer-events: none;
3
+  cursor: default;
4
+}
5
+
6
+[inert], [inert] * {
7
+  user-select: none;
8
+  -webkit-user-select: none;
9
+  -moz-user-select: none;
10
+  -ms-user-select: none;
11
+}

Loading…
Cancel
Save