QUESTION have you added a content security policy to your website? - Printable Version +- GetSimple Support Forum (http://get-simple.info/forums) +-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3) +--- Forum: General Questions and Problems (http://get-simple.info/forums/forumdisplay.php?fid=16) +--- Thread: QUESTION have you added a content security policy to your website? (/showthread.php?tid=15442) |
have you added a content security policy to your website? - craiga - 2020-11-12 I'm working on a website where we require the implementation of content security policy (csp). It's going ok so far but I have an issue with the inline styles that are being added (presumably via the ckeditor). Has anyone else added a csp to any of their GS websites? I would be interested in seeing how you dealt with this issue. Ideally without using unsafe-inline if possible. I know I can use a nonce or hash but was unsure where the inline styles were being generated. Thanks RE: have you added a content security policy to your website? - Felix - 2020-11-12 Hi craiga, With CSP style elements and scripts are no longer allowed to appear directly, you must store style elements in separate stylesheets and create separate files for each script. This might help https://github.com/google/csp-evaluator https://csp-evaluator.withgoogle.com/ https://observatory.mozilla.org/ RE: have you added a content security policy to your website? - craiga - 2020-11-12 (2020-11-12, 20:06:36)Felix Wrote: Hi craiga, Thanks Felix. I've already conducted a huge amount of research on csp. My scripts are no longer inline but in separate files as dictated my mozilla, content-security-policy.com and numerous other resources. My question was, what have other GS users done to ensure the inline scripts or styles generated by ckeditor or the cms can work correctly. Thanks RE: have you added a content security policy to your website? - Felix - 2020-11-12 Hi, My self, I haven't done anything with CSP yet. But maybe CKEditor 5 is an option here ? It appears that CKEditor 5 is being written with support for Content Security Policy in mind RE: have you added a content security policy to your website? - craiga - 2020-11-13 (2020-11-12, 23:48:46)Felix Wrote: Hi, Good one Lets hope the new version of GS uses the newest version of CKEditor then. For now I have done what most cms users are having to do and use unsafe-inline for scripts and styles. I did some more research relating to csp and cms integration and it appears we are all in the same boat. Wordpress, craft, Joomla and GS - we all have the same issue. Oh well, never mind Thanks again for the reply RE: have you added a content security policy to your website? - MicroNiche - 2020-12-08 (2020-11-13, 00:54:56)craiga Wrote:https://content-security-policy.com/#source_list has some very good information. I currently use <meta http-equiv="Content-Security-Policy" content="https: img-src https:">(2020-11-12, 23:48:46)Felix Wrote: Hi, which allows my google fonts and socialization icons. |