Posts: 116
Threads: 38
Joined: Sep 2017
I'm working on a website where we require the implementation of content security policy (csp). It's going ok so far but I have an issue with the inline styles that are being added (presumably via the ckeditor).
Has anyone else added a csp to any of their GS websites? I would be interested in seeing how you dealt with this issue.
Ideally without using unsafe-inline if possible. I know I can use a nonce or hash but was unsure where the inline styles were being generated.
Thanks
Posts: 515
Threads: 21
Joined: Feb 2019
Hi craiga,
With CSP style elements and scripts are no longer allowed to appear directly, you must store style elements
in separate stylesheets and create separate files for each script.
This might help
https://github.com/google/csp-evaluator
https://csp-evaluator.withgoogle.com/
https://observatory.mozilla.org/
Posts: 116
Threads: 38
Joined: Sep 2017
(2020-11-12, 20:06:36)Felix Wrote: Hi craiga,
With CSP style elements and scripts are no longer allowed to appear directly, you must store style elements
in separate stylesheets and create separate files for each script.
This might help
https://github.com/google/csp-evaluator
https://csp-evaluator.withgoogle.com/
https://observatory.mozilla.org/
Thanks Felix. I've already conducted a huge amount of research on csp. My scripts are no longer inline but in separate files as dictated my mozilla, content-security-policy.com and numerous other resources.
My question was, what have other GS users done to ensure the inline scripts or styles generated by ckeditor or the cms can work correctly.
Thanks
Posts: 515
Threads: 21
Joined: Feb 2019
Hi,
My self, I haven't done anything with CSP yet.
But maybe CKEditor 5 is an option here ? It appears that CKEditor 5 is being written
with support for Content Security Policy in mind
Posts: 116
Threads: 38
Joined: Sep 2017
(2020-11-12, 23:48:46)Felix Wrote: Hi,
My self, I haven't done anything with CSP yet.
But maybe CKEditor 5 is an option here ? It appears that CKEditor 5 is being written
with support for Content Security Policy in mind
Good one
Lets hope the new version of GS uses the newest version of CKEditor then. For now I have done what most cms users are having to do and use unsafe-inline for scripts and styles. I did some more research relating to csp and cms integration and it appears we are all in the same boat. Wordpress, craft, Joomla and GS - we all have the same issue.
Oh well, never mind
Thanks again for the reply
Posts: 1
Threads: 0
Joined: Dec 2020
(2020-11-13, 00:54:56)craiga Wrote: (2020-11-12, 23:48:46)Felix Wrote: Hi,
My self, I haven't done anything with CSP yet.
But maybe CKEditor 5 is an option here ? It appears that CKEditor 5 is being written
with support for Content Security Policy in mind
Good one
Lets hope the new version of GS uses the newest version of CKEditor then. For now I have done what most cms users are having to do and use unsafe-inline for scripts and styles. I did some more research relating to csp and cms integration and it appears we are all in the same boat. Wordpress, craft, Joomla and GS - we all have the same issue.
Oh well, never mind
Thanks again for the reply
https://content-security-policy.com/#source_list has some very good information. I currently use <meta http-equiv="Content-Security-Policy" content="https: img-src https:">
which allows my google fonts and socialization icons.