GetSimple Support Forum
QUESTION have you added a content security policy to your website? - Printable Version

+- GetSimple Support Forum (http://get-simple.info/forums)
+-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3)
+--- Forum: General Questions and Problems (http://get-simple.info/forums/forumdisplay.php?fid=16)
+--- Thread: QUESTION have you added a content security policy to your website? (/showthread.php?tid=15442)



have you added a content security policy to your website? - craiga - 2020-11-12

I'm working on a website where we require the implementation of content security policy (csp). It's going ok so far but I have an issue with the inline styles that are being added (presumably via the ckeditor).

Has anyone else added a csp to any of their GS websites? I would be interested in seeing how you dealt with this issue.

Ideally without using unsafe-inline if possible. I know I can use a nonce or hash but was unsure where the inline styles were being generated.

Thanks


RE: have you added a content security policy to your website? - Felix - 2020-11-12

Hi craiga,

With CSP style elements and scripts are no longer allowed to appear directly, you must store style elements
in separate stylesheets and create separate files for each script.

This might help
https://github.com/google/csp-evaluator
https://csp-evaluator.withgoogle.com/
https://observatory.mozilla.org/


RE: have you added a content security policy to your website? - craiga - 2020-11-12

(2020-11-12, 20:06:36)Felix Wrote: Hi craiga,

With CSP style elements and scripts are no longer allowed to appear directly, you must store style elements
in separate stylesheets and create separate files for each script.

This might help
https://github.com/google/csp-evaluator
https://csp-evaluator.withgoogle.com/
https://observatory.mozilla.org/

Thanks Felix. I've already conducted a huge amount of research on csp. My scripts are no longer inline but in separate files as dictated my mozilla, content-security-policy.com and numerous other resources. 

My question was, what have other GS users done to ensure the inline scripts or styles generated by ckeditor or the cms can work correctly.

Thanks


RE: have you added a content security policy to your website? - Felix - 2020-11-12

Hi,
My self, I haven't done anything with CSP yet.
But maybe CKEditor 5 is an option here ? It appears that CKEditor 5 is being written
with support for Content Security Policy in mind


RE: have you added a content security policy to your website? - craiga - 2020-11-13

(2020-11-12, 23:48:46)Felix Wrote: Hi,
My self, I haven't done anything with CSP yet.
But maybe CKEditor 5 is an option here ? It appears that CKEditor 5 is being written
with support for Content Security Policy in mind

Good one

Lets hope the new version of GS uses the newest version of CKEditor then. For now I have done what most cms users are having to do and use unsafe-inline for scripts and styles. I did some more research relating to csp and cms integration and it appears we are all in the same boat. Wordpress, craft, Joomla and GS - we all have the same issue.

Oh well, never mind

Thanks again for the reply


RE: have you added a content security policy to your website? - MicroNiche - 2020-12-08

(2020-11-13, 00:54:56)craiga Wrote:
(2020-11-12, 23:48:46)Felix Wrote: Hi,
My self, I haven't done anything with CSP yet.
But maybe CKEditor 5 is an option here ? It appears that CKEditor 5 is being written
with support for Content Security Policy in mind

Good one

Lets hope the new version of GS uses the newest version of CKEditor then. For now I have done what most cms users are having to do and use unsafe-inline for scripts and styles. I did some more research relating to csp and cms integration and it appears we are all in the same boat. Wordpress, craft, Joomla and GS - we all have the same issue.

Oh well, never mind

Thanks again for the reply
https://content-security-policy.com/#source_list has some very good information. I currently use  <meta http-equiv="Content-Security-Policy" content="https: img-src https:">

 which allows my google fonts and socialization icons.